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Counsel for Plaintiffs 





IN THE UNITED STATES DISTRICT COURT 
FOR THE NORTHERN DISTRICT OF CALIFORNIA 




SAN FRANCISCO DIVISION 


MATTHEW HINES; JENNIFER AGUIRRE; V W T '1 

ALEXANDER HERNANDEZ; individuals, on ^ X 

behalf of themselves and others similarly situated, JURY DEMAND 


ll 3084 


Plaintiffs, 


OPENFEINT, INC., a Delaware Corporation; and 
GREE INTERNATIONAL, INC., a California 
Corporation 

Defendants. 


CLASS ACTION COMPLAINT 
FOR: 

1. Violations of Computer Fraud 
and Abuse Act, 18 U.S.C. 

§1030; 

2. Violations of the Electronic 
Communications Privacy Act 18 
U.S.C. §2510; 

3. Violations of California's 
Computer Crime Law, Penal 
Code § 502; 

4. Violations of the California 
Invasion of Privacy Act, Penal 
Code § 630; 


5. Violations of the Consumer 
Legal Remedies Act, (“CLRA”) 
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California Civil Code § 1750; 

6. Violation of Unfair Competition, 
California Business and 
Professions Code § 17200; 

7. Breach of Contract; 

8. Breach of Implied Covenant of 
Good Faith and Fair Dealing; 

9. Conversion; 

10. Negligence; and 

11. Trespass to Personal Property / 

___ Chattels 

Plaintiffs, Matthew Hines, Jennifer Aguirre, and Alexander Hernandez, on behalf of 
themselves and all others similarly situated, by and through their attorneys, Parisi & Havens 
LLP, and the Law Office of Joseph H. Malley, P.C., as and for their complaint, and demanding 
trial by jury, allege as follows upon information and belief, based upon, inter alia, investigation 
conducted by and through their attorneys, which are alleged upon knowledge, sue Defendants 
OpenFeint, Inc., and GREE International, Inc. Plaintiffs’ allegations as to themselves and their 
own actions, as set forth herein are based upon their personal knowledge, and all other 
allegations are based upon information and belief pursuant to the investigations of counsel. 
Based upon such investigation. Plaintiffs believe that substantial evidentiary support exists for 
the allegations herein or that such allegations are likely to have evidentiary support after a 
reasonable opportunity for further investigation and discovery. 

NATURE OF THE ACTION 

1. Plaintiffs bring this consumer Class Action lawsuit pursuant to Federal Rules of 

Civil Procedure 23(a), (b)(1), (b)(2), and (b)(3) on behalf of themselves and a class of similarly 

situated Internet users (each a “Class Member” of the putative “Class”) who were victims of 

privacy violations, and unfair and deceptive business wherein their privacy and security rights 

_ OpenFeint Class Action Complaint 
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Developers and Application Developer’s Affiliates, knowingly authorizing, directing, ratifying, 
approving, acquiescing in, or participating in conduct, made the basis of this Class Action, which 
included, but was not limited to, the unauthorized access to and unauthorized use of the 
Plaintiffs’ and Class Members’ mobile devices UDIDs. 

4. Defendant OpenFeint’s business plan involved unauthorized access to, and 
disclosure of, Personal Information (“PI”), Personally Identifiable Information (“PH”), Sensitive 
Identifying Information (“SII”), and the user’s exact latitude and longitude, GPS “Fine” co¬ 
ordinates (“Fine GPS”), obtained from the Plaintiffs’ and Class Members’ mobile devices, using 
their UDIDs to aggregate Plaintiffs’ and Class Members’ data, which the Defendant 
accomplished covertly, without adequate notice or consent of its users, involving one hundred 
million (100,000,000) consumer mobile devices, circumventing Plaintiffs' and Class Members’ 
privacy and security controls, for purposes not disclosed within its Terms of Service and/or 
Privacy Policy, nor the Application Developers, failing to protect Plaintiffs and Class Members, 
involving their privacy and endangering their physical security, causing harm and economic 
injury, and accomplished by Defendant OpenFeint for commercial gain. To accentuate the level 
of privacy and security concerns, many of the downloaded applications affiliated with Defendant 
OpenFeint involved the unauthorized tracking of minor children. 

INTRADISTRICT ASSIGNMENT 

5. Defendant OpenFeint, Inc.’s principal executive offices and headquarters are 
located in this District at 330 Primrose Road, Burlingame, California. Intra-district assignment 
to the San Francisco Division is proper. 

JURISDICTION AND VENUE 

6. Venue is proper in this District under 28 U.S.C. §1391(b) and (c) against 
Defendant. A substantial portion of the events and conduct giving rise to the violations of law 

- OpenFeint Class Action Complaint 
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complained of herein occurred in this District and Defendant conduct business with consumers in 
this District. Defendant OpenFeint, Inc.’s principle executive offices and headquarters during the 
class period were located in this District. Defendant GREE International, Inc.’s principle 
executive offices and headquarters during the class period were located in this District. 

7. This court has Federal question jurisdiction as the complaint alleges violation of 
the following: (1) Computer Fraud and Abuse Act, 18 U.S.C. §1030; and (2) Electronic 
Communications Privacy Act 18 U.S.C. §2510. 

8. Subject-matter jurisdiction exists in this Court related to this action pursuant to 
the Class Action Fairness Act, 28 U.S.C. § 1332(c). The aggregate claims of Plaintiffs and the 

proposed Class Members exceed the sum or value of $5,000,000.00 exclusive of interests and 
costs. 

9. Venue is proper in this district and vests jurisdiction in the California state and 
federal courts in the district of the location of their principal corporate place of businesses. Thus, 
mandatory jurisdiction in this U.S. District Court vests for any Class Member, wherever they 
reside, for the mobile device activity made the basis of this action which occurred within the 
United States. The application of the law of the State of California should be applied to any 
mobile device activity made the basis of this action anywhere, within the United States, as if any 
and all activity occurred entirely in California and to California resident. Thus, citizens and 
residents of all states are, for all purposes related to this instant Complaint, similarly situated 
with respect to their rights and claims as California residents, and therefore are appropriately 
included as members of the Class, regardless of their residency, or wherever the mobile device 
activity occurred made the basis of this action. 

10. This Court has personal jurisdiction over Defendants OpenFeint and GREE which 
maintained their corporate headquarters in, and the acts alleged herein, were committed in 


OpenFeint Class Action Complaint 
5 


28 







1 

2 

3 

4 

5 

6 
7 


California, within this district, during the class period. 

11. Minimal diversity of citizenship exists in this action, providing jurisdiction as 
proper in the Court, since Defendant is a corporation headquartered in this District during the 
class period, and Plaintiffs include citizens and residents of this District, and assert claims on 
behalf of a proposed Class whose members are scattered throughout the fifty states and the U.S. 
territories; thus there is minimal diversity of citizenship between proposed Class Members and 
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the Defendant. 

12. This is the judicial district wherein the basis of the conduct complained of herein 
involving the Defendant was devised, developed, implemented. The actual interaction of 
information and data was activated from, and transmitted to and from this District; therefore all 
evidence of conduct as alleged in this complaint is located in this judicial district. 

PARTIES 

13. Plaintiff Matthew Hines (“Hines”) is a citizen and resident of Fort Worth, Texas, 
(Tarrant County, Texas). 

14. Plaintiff Jennifer Aguirre (“Aguiire”) is a citizen and resident of Milwaukee, 
Wisconsin, (Milwaukee County, Wisconsin). 

15. Plaintiff Alexander Hernandez (“Hernandez”) is a citizen and resident of Dallas, 
Texas, (Dallas County, Texas). 

16. Defendant OpenFeint, Inc., (“OpenFeint” or “Defendant”) is a Delaware 
corporation headquartered in California, during the class period, a privately owned corporation, 
which maintained its headquarters at 330 Primrose Road, Burlingame, Suite 515, California, 
(San Mateo County, California). Defendant OpenFeint, does business throughout the United 
States, and in particular, does business in State of California and in this judicial district. 

17. Defendant GREE International, Inc., (“GREE” or “Defendant”) is a California 

OpenFeint Class Action Complaint 
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corporation headquartered in California, during the class period, a privately owned corporation, 
which maintained its headquarters at 1084 De Haro Street, San Francisco, California, (San 
Francisco County, California). Defendant GREE, does business throughout the United States, 
and in particular, does business in State of California and in this judicial district. 

A. Plaintiff Matthew Hines’ Experience 

18. On information and belief, Plaintiff Matthew Hines incorporates all allegations 
withm this complaint, and his experiences are the same to all Plaintiffs and Class Members. 
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19. At all relevant times herein, Hines owned a mobile device, operated by a mobile 
device operating system, used that mobile device, and on one or more occasions during the class 
period, in the city of residence, accessed one (1) or more of the applications, that on information 
and belief, are affiliated with the Defendant OpenFeint, which resulted in Defendant OpenFeint 
gaining unauthorized access to, and unauthorized use of, Hines' mobile device's UDID. 

20. As Hines accessed his applications, Defendant OpenFeint, without adequate 
notice, or consent, accessed, collected, monitored, and remotely stored, his mobile device’s 
Unique Device Identifiers. 

21. In April 2011, Hines became aware of information related to the tracking 
activities of one (1) or more of Defendant OpenFeint and its affiliated applications. It is Hines’ 
belief that Defendant OpenFeint's accessing of his mobile device’s UDID permitted tracking 
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within his mobile device, used for tracking by Defendant OpenFeint, Application Developers, 
and Application Developer’s Affiliates. Hines did not receive adequate notice of the use of such a 
tracking identifier, did not consent to the use of such a tracking identifier, and did not want such 
a tracking identifier installed on his mobile device to track his mobile activities. 

22. Plaintiff Hines considers the information which uniquely identifies his mobile 
device to be in the nature of confidential. Plaintiff Hines believes that Personally Identifiable 

- OpenFeint Clas s Action Comnlaint- 
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Information should not be obtained or disclosed without adequate notice or consent, and 
aggregating his Personally Identifiable Information to link such to his mobile device's UDIDs 
violates his privacy and security which resulted in harm. 

23. Plaintiff Hines believes that if he were to activate the Defendant OpenFeint’s 
Affiliated Applications, or access the Defendant OpenFeint’s App Markets and download 
Defendant OpenFeint affiliated applications, the tracking device used by Defendant OpenFeint to 
access, collect, monitor, and remotely use the applications to obtain his mobile device’s UDIDs 
would be used again by the Defendant OpenFeint. 

Plaintiff Jennifer Aguirre’s Experience 

24. On information and belief, Plaintiff Jennifer Aguirre incorporates all allegations 
within this complaint, and her experiences are the same to all Plaintiffs and Class Members. 

25. At all relevant times herein, Aguirre owned a mobile device, operated by a mobile 
device operating system, used that mobile device, and on one or more occasions during the class 
period, in the city of residence, accessed one (1) or more of the applications, that on information 
and belief, are affiliated with the Defendant OpenFeint, which resulted in Defendant OpenFeint 
gaining unauthorized access to, and unauthorized use of, Aguirre’s mobile device's UDID. 

26. As Aguirre accessed her applications. Defendant OpenFeint, without adequate 
notice, or consent, accessed, collected, monitored, and remotely stored, her mobile device's 
Unique Device Identifiers. 
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27. In April 2011, Aguirre became aware of information related to the tracking 
activities of one (1) or more of Defendant OpenFeint and its affiliated applications. It is Aguirre's 
belief that Defendant OpenFeint's accessing of her mobile device’s UDID permitted tracking 
within her mobile device, used for tracking by Defendant OpenFeint, Application Developers, 
and Application Developer’s Affiliates. Aguirre did not receive adequate notice of the use of such 
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a tracking identifier, did not consent to the use of such a tracking identifier, and did not want 
such a tracking identifier installed on her mobile device to track her mobile activities. 

28. Plaintiff Aguirre considers the information which uniquely identifies her mobile 
device to be in the nature of confidential. Plaintiff Aguirre believes that Personally Identifiable 
Information should not be obtained or disclosed without adequate notice or consent, and 
aggregating her Personally Identifiable Information to link such to her mobile device’s UDIDs 
violates her privacy and security which resulted in harm. 

29. Plaintiff Aguirre believes that if she were to activate the Defendant OpenFeint’s 
Affiliated Applications, or access the Defendant OpenFeint’s App Markets and download 
Defendant OpenFeint affiliated applications, the tracking device used by Defendant OpenFeint to 
access, collect, monitor, and remotely use the applications to obtain her mobile device’s UDIDs 
would be used again by the Defendant OpenFeint. 

C. Plaintiff Alexander Hernandez’s Experience 


30. On information and belief, Plaintiff Alexander Hernandez incorporates all 
allegations within this complaint, and his experiences are the same to all Plaintiffs and Class 
Members. 

31. At all relevant times herein, Hernandez owned a mobile device, operated by a 
mobile device operating system, used that mobile device, and on one or more occasions during 
the class period, in the city of residence, accessed one (1) or more of the applications, that on 
information and belief, are affiliated with the Defendant OpenFeint, which resulted in Defendant 
OpenFeint gaining unauthorized access to, and unauthorized use of, Hernandez’s mobile 
device’s UDID. 

32. As Hernandez accessed his applications, Defendant OpenFeint, without adequate 
notice, or consent, accessed, collected, monitored, and remotely stored, his mobile device’s 
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Unique Device Identifiers. 

33. In April 2011, Hernandez became aware of information related to the tracking 
activities of one (1) or more of Defendant OpenFeint and its affiliated applications. It is 
Hernandez s belief that Defendant OpenFeint’s accessing of his mobile device's UDID permitted 
tracking within his mobile device, used for tracking by Defendant OpenFeint, Application 
Developers, and Application Developer’s Affiliates. Hernandez did not receive adequate notice 
of the use of such a tracking identifier, did not consent to the use of such a tracking identifier, 
and did not want such a tracking identifier installed on his mobile device to track his mobile 


activities. 


34. Plaintiff Hernandez considers the information which uniquely identifies his 
mobile device to be in the nature of confidential. Plaintiff Hernandez believes that Personally 
Identifiable Information should not be obtained or disclosed without adequate notice or consent, 
and aggregating his Personally Identifiable Information to link such to his mobile device's 
UDIDs violates his privacy and security which resulted in harm. 

35. Plaintiff Hernandez believes that if he were to activate the Defendant OpenFeint’s 
Affiliated Applications, or access the Defendant OpenFeint’s App Markets and download 
Defendant OpenFeint affiliated applications, the tracking device used by Defendant OpenFeint to 
access, collect, monitor, and remotely use the applications to obtain his mobile device's UDIDs 
would be used again by the Defendant OpenFeint. 

D * Sequence of Events an d Consequences- Plaintiffs and Class Members 

36. The sequence of events, and consequences common to Plaintiffs and Class 
Members, made the basis of this action, include, but are not limited to the following: 

a) Plaintiffs and Class Members are individuals in the United States who own 
and use mobile devices, which include a mobile device operating system, 
which provides an application “store” or “market” to download applications. 
Plaintiffs and Class Members entered into a Licensing Agreement with the 
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Mobile Device Operating System Manufacturers that operated the application 
store or market; 


b) Plaintiffs and Class Members then accessed an application affiliated with 
Defendant OpenFeint, entering into a licensing agreement with one (1) or 
more of the Application Developers, and installed one (1) or more 
applications within the class period; 

c) The Application Developers, which developed the applications that the 
Plaintiffs and Class Members downloaded, had entered into a legally binding 
agreement with Defendant OpenFeint; 

d) The Application Developers, which developed the applications that the 
Plaintiffs and Class Members downloaded, had entered into a legally binding 
agreement with Mobile Device Operating Manufacturers that operated an 
application “store” or “market”; 

e) The Application Developers were affiliated with one (1) or more Ad networks 
and Web Analytic Vendors and entered into Licensing Agreements; 

f) Defendant OpenFeint then obtained, without notice or authorization, the 
Plaintiffs’ and Class Members’ UDIDs, transmitted or allowed access to the 
UDIDs by its Application Developers which in turn transmitted such to 
Application Developer Affiliates; 

g) Defendant OpenFeint then took unprecedented liberties, without notice or 
authorizations, and obtained at will Plaintiffs’ and Class Members’ mobile 
device s data, using the mobile device’s UDIDs to aggregate the mobile 
device data; 

h) Defendant OpenFeint then created, individually and in concert with 
Application Developers, a database related to Plaintiffs' and Class Members’ 
mobile device data, to assist Defendant’s tracking scheme. Such tracking 
could not be detected, managed or deleted, and provided, in whole or part, the 
collective mechanism to track Plaintiffs and Class Members, without notice or 
consent; 


i) Defendant OpenFeint then conducted systematic and continuous surveillance 
of the Plaintiffs and Class Members’ mobile devices activity, which 
continues to date; 

j) Defendant OpenFeint then copied, used, and stored the mobile device UDIDs, 
data derived from the Plaintiffs and Class Members’ mobile devices, after it 
knowingly accessed, without authorization, the Plaintiffs’ and Class ’ 
Members’ mobile device; 

k) Defendant OpenFeint then obtained Plaintiffs’ and Class Members’ Personally 
Identifiable Information, derived in whole or part, from its monitoring the 
mobile application activities of Plaintiffs and Class Members. Defendant 
compiled and misap propriated personal information that includes details about 
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Plaintiffs and Class Members’ profiles to identify individual users to track on 
an ongoing basis, across numerous applications, and tracking when they 
accessed applications from different mobile devices, at home and at work. 
This Sensitive Information may include such things as users’ video 
application viewing choices or activities to obtain personal characteristics 
such as: gender, age, race, number of children, education level, geographic 
location, and household income, what was viewed, what was bought, 
materials read, financial situation details, sexual preference, and even more 
specific information like health conditions; 

l) Defendant OpenFeint then linked UDIDs to Defendant OpenFeint user 
accounts, linked UDIDs to GPS “Fine” co-ordinates and to Facebook and/ or 
Twitter profiles; 

m) Defendant OpenFeint then used analytics software to collect, use and disclose 
device data to third parties, an act that violates Plaintiffs’ and Class Members’ 
mobile device’s agreement; 

n) Defendant OpenFeint then provided assurances to Plaintiffs and Class 
Members that any and all authorized applications was safe for downloading; 

o) Defendant OpenFeint then failed to notify and warn Plaintiffs and Class 
Members of its covert activities within their mobile devices, and the covert 
tracking activities by Application Developers and Application Developer’s 
Affiliates before, during, and after notice, of the unauthorized practices, made 
the basis of this action, so that Plaintiffs and Class Members could take 
appropriate actions to opt-out of the unauthorized surveillance and/or to delete 
any and all applications; 

p) Defendant OpenFeint then failed to block access to, and void the licensing 
agreements of Application Developers after it received notice of individual 
and concerted actions, made the basis of this action; 

q) Defendant OpenFeint then failed to provide any terms of service, or privacy 
policy, related to its use of UDIDs for tracking, or provide an updated privacy 
policy alerting its users of its activities, or the Application Developers and 
Defendant Application s activity, made the basis of these actions; thus 
Plaintiffs and Class Members had no notice of such activities, nor the ability 
to mitigate their harm and damage after the fact; 

r) Defendant OpenFeint then failed to obligate Application Developers to any 
terms of service, or privacy policy, related to its use of UDIDs for tracking, or 
provide an updated privacy policy alerting its users of Application Developers 
and Defendant Application activity, made the basis of these actions; thus 
Plaint!fits and Class Members had no notice of such activities, nor the ability 
to mitigate their harm and damage after the fact; 

s) Defendant OpenFeint then failed to obligate Developer’s Affiliates notice to 
Plaintiffs and Class Members of its tracking activities in order to obtain 
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authorization; thus Plaintiffs and Class Members had no notice of such 
activities, nor the ability to mitigate their harm and damage after the fact; 

t) Defendant OpenFeint then failed to provide Plaintiffs and Class Members 
information within its privacy policies concerning the affiliation of each 
Application Developer, its Application Developer’s Affiliates, and 
information related to the extent of its tracking, made the basis of this action, 
nor adequate opt-out information; 

u) Plaintiffs and Class Members that desired to cease tracking by Defendant 
OpenFeint by deleting the application, had Defendant continue to track their 
activities; 

v) Plaintiffs and Class Members that became aware of Defendant OpenFeint’s 
association with third parties were unable to restrict access to their UDIDs 
from within their own mobile device to cease all tracking; 

w) Plaintiffs and Class Members that became aware that Defendant OpenFeint 
had created a database, and deleted the databases to cease any and all tracking, 
had the Defendant OpenFeint maintain storage and use of all data derived 
from its unauthorized activity; 

x) Defendant OpenFeint then converted the Plaintiffs’ and Class Members’ 
electronic data including, but not limited to, UDIDs for commercial gain; 

y) Plaintiffs and Class Members involved with the Defendant were harmed by its 
practices including, but not limited to, the following: 

1. Violations of legally protected Federal, State and Common Law rights 
of privacy; 

2. Financial harm caused to Plaintiffs and Class Members by Defendant’s 
unauthorized access to “property not provided by users,” resulting in 
time and expenses incurred to remedy the effects of damages caused to 
Plaintiffs’ and Class Members’ mobile devices; 

3. Financial harm caused to Plaintiffs and Class Members by Defendant’s 
unauthorized collection, use, and sale of “property not provided by 
users, and seized by the Defendant’s “data mining” and tracking 
activities that linked Plaintiffs and Class Members’ data to the mobile 
device s UDIDs. Plaintiffs and Class Members purchase a mobile 
device from a mobile device manufacturer and cannot resell their 
mobile devices, thus incurring a diminution in “value” of their 
property; 

4. Financial harm caused to Plaintiffs and Class Members by Defendant’s 
unauthorized collection, use, and sale of “bandwidth not provided by 
users,” and seized from the user’s mobile device. Plaintiffs and Class 
Members purchase bandwidth from their provider in order to use their 

_mobile devices, and any and all “data mining” conducted by 
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Defendant required the use of Plaintiffs’ and Class Members’ 
bandwidth, thus interrupting and depleting the services purchased, 
causing the loss of “value” to the bandwidth purchased by Plaintiffs 
and Class Members; 

5. Financial harm caused to Plaintiffs and Class Members by Defendant’s 
unauthorized collection, use, and sale of “property not provided by 
users,” and seized by the Defendant. Plaintiffs and Class Members 
paid for a mobile device capable of particular levels of processing and 
internet connectivity services capable of particular transmission 
speeds. Defendant’s activities usurped the Plaintiffs’ and Class 
Members’ mobile devices’ processing and connectivity resources, thus 
diminishing its performance; 

6. Financial harm caused to Plaintiffs and Class Members by Defendant’s 
unauthorized collection, use, and sale of Plaintiffs’ and Class 
Members’ mobile device’s UDIDs, “information not provided by 
users,” and seized by Defendant. Such user information constitutes 
assets with discemable “value,” seized and sold by Defendant, thus 
causing Plaintiffs and Class Members to lose the “value” of their 
Personal Information; 

7. Financial harm caused to Plaintiffs and Class Members by Defendant’s 
unauthorized collection, use, and sale of Plaintiffs’ and Class 
Members mobile data, “information not provided by users,” and 
seized by Defendant. Such user information constitutes assets with 
discemable value,” seized and sold by Defendant, thus causing 
Plaintiffs and Class Members to lose the “value” of their Personal 
Information; 

8. Financial harm caused to Plaintiffs and Class Members by Defendant’s 
unauthorized collection, use, and sale of “information not provided,” 
and seized by Defendant. Plaintiffs and Class Members purchased the 
products and services associated with the Operating Service within 
their mobile devices, “paying’ for the mobile device and operating 
system. Defendant provided their Personal Information, a valuable 
property that was exchanged not only for Defendant’s Platform, but 
also in exchange for Defendant’s promise to employ commercially 
reasonable methods to maintain the Personal Information that was 
exchanged. Defendant caused a breach of its agreement with Plaintiffs 
and Class Members' by allowing other parties to obtain such data, thus 
causing Plaintiffs to lose the “value” of their Personal Information; and 

9. Financial harm caused to Plaintiffs and Class Members by Defendant’s 
unauthorized collection, use, and sale of mobile data provided by 
Plaintiffs and Class Members. The profitability of Defendant's 
Platform, like most “free” apps, is not ad driven but user data centric. 
Plaintiffs and Class Members offered limited use of their information 
as “consideration” to Defendant in return for the use of Defendant's 
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Platform. Defendant’s exploitation of Plaintiffs’ and Class Members’ 
mobile devices to obtain and sell their personal information benefitted 
Defendant with increased profits as opposed to the benefits obtained 
by Plaintiffs and Class Members who surrendered much more data 
than they bargained for when they enabled Defendant OpenFeint’s 
Platform. 

z) Plaintiffs’ and Class Members’ allegations, made the basis of this action, as it 
relates generally to UDIDs, is supported in whole or part by the following 
recent studies: 

• Ashkan Soltani and David Campbell, Electric Alchemy.net, “The Journal’s Cellphone 
Testing Methodology,” (last accessed April 15, 2011), online: 

http://online.wsi . com/article/SB 1 000 1 42405274870403480457602595 1 767626460.html : 

Eric Smith, “iPhone Applications & Privacy Issues: An Analysis of Application 
Transmission of iPhone Unique Device Identifiers (UDIDs)” (last accessed April 15, 
2011), online: http://www.pskI.us/wp/wp-content/uploads/2010/09/Android- 
Applications-Privacy-Issues.pdf : 

William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick 
McDaniel, Anmol N. Sheth, “TaintDroid: An Information-Flow Tracking System for 
Realtime Privacy Monitoring on Smartphones” (last accessed April 15, 2011), online: 
http://www.appanalvsis.org/tdroid 10.p df: and 

• Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna, “PiOS: Detecting 
Privacy Leaks in iOS Applications,” (last accessed April 15, 2011), online: 
http://www.technologyreview.com/computing/27128/?p|=A2&a=f 

aa) Plaintiffs’ and Class Members* allegations, made the basis of this action as it 
relates specifically to Defendant OpenFeint’s tracking, is supported in whole 
or part by the following recent studies: 

Aldo Cortesi, “De-anonymizing Apple UDIDs with OpenFeinf ’ (last accessed May 5, 

2011), online: http://corte.si./posts/security/openfeint-udid-deanonvmization/index.htmI 

• Aldo Cortesi, “How UDIDs are used: a survey” (last accessed May 20, 2011), online: 
http://corte.si./posts/securitv/apple-udid-survev/index.html 

37. Defendant’s conduct, individually and jointly, is a fraud that has been perpetrated 
for years, facilitated, and coordinated, by some of the world’s largest Application Developers, 
network advertising industry, and web analytic vendors, thereby costing the Class upwards of 
hundreds of millions of dollars. Defendant has been systematically defrauding Class Members in 
a covert operation ot surveillance made possible by their gross misconduct, negligence, apparent 
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coordination, actual fraud, and violation of one (1) or more of the following: 

1) Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the “CFAA”); 

2) Electronic Communications Privacy Act 18 U.S.C. §2510 (the “ECPA”)- 

3) California’s Computer Crime Law, Penal Code § 502; 

4) California Invasion of Privacy Act, Penal Code § 630; 

5) Consumer Legal Remedies Act, (“CLRA”) California Civil Code § 1750; 

6) Unfair Competition, California Business and Professions Code § 17200; 

7) Breach of Contract; 

8) Breach of Implied Covenant of Good Faith and Fair Dealing; 

9) Conversion; 

10) Negligence; 

11) Trespass to Personal Property / Chattels; and 

38. Defendant manipulated the Plaintiffs’ and Class Members’ mobile devices, which 
have computing functions used in and affecting interstate commerce and communication and 
were therefore protected computers, a conduct in violation as defined in the Computer Fraud and 
Abuse Act, Title 18, United States Code, Section 1030(e)(2). 

39. Defendant obtained electronic communications sent to the Plaintiffs’ and Class 
Members’ mobile device, including but not limited to, the Plaintiffs' and Class Members' UDID,, 
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information sought to identify the Plaintiffs and Class Members, since such persisted across 
Internet sessions. Such provided in whole, or part, the ability to identify the users’ mobile 

device s functions, a conduct in violation of the Electronic Communications Privacy Act 18 
U.S.C. §2510. 

40. Defendant s conduct, made the basis of this action, included but was not limited 


to, tampering, interference, unauthorized access to Plaintiffs' and Class Members' mobile device, 


a conduct m violation of the California's Computer Crime Law, California Penal Code § 502. 
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Defendant’s conduct, made the basis of this action, involved the unauthorized 


access to Plaintiffs’ and Class Members’ electronic communications with one (1) or more entities 
based in California, a conduct in violation of the California Invasion of Privacy Act Penal Code § 
630 et seq. 


42. Defendant’s conduct, made the basis of this action, was an engagement in unfair 
and deceptive acts and practices in the course of transactions with Plaintiffs and Class Members, 
and such transactions were intended to and did result in the sale of services, a conduct in 
violation of the Consumer Legal Remedies Act, California Civil Code § 1750, et seq. 

43. Defendant’s conduct, made the basis of this action, resulted in acts of deception, 
fraud, inconsiderable and unfair commercial practices, concealing, suppressing, and/or omitting 
material facts with the intent to have Plaintiffs and Class Members rely upon such concealment, 
oppression or omission. Defendant's unfair and deceptive trade acts caused damage and harm to 
Plaintiffs and Class Members, a conduct in violation of the Unfair Competition Law, California 


| Business and Professions Code § 17200. 

44. Defendant OpenFeint's conduct, made the basis of this action, was a breach of 
contract between Defendant OpenFeint and Plaintiffs and Class Members, including but not 
limited to, failure to abide by the licensing agreement which forbade release of Personal 
Information to third parties without notice and consent. Application Developers’ contractual 
duties and obligation to Defendant OpenFeint do not release Defendant OpenFeint from its 
liability to Plaintiffs and Class Members. 

45. Application Developers' conduct, made the basis of this action, was a breach of 
contract between Application Developers and Plaintiffs and Class Members, including but not 
limited to, failure to abide by the licensing agreement which forbade release of Personal 
Information to third parties without notice and express consent. Defendant OpenFeint and 
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Application Developer Affiliates’ contractual duties and obligation to Application Developers do 
not release Application Developers from its liability to Plaintiffs and Class Members. 

46. Defendant’s conduct, made the basis of this action, constitutes a Breach of 
Implied Covenant of Good Faith and Fair Dealing including, but not limited to, failure to abide 
by its agreement implied that it would not act in bad faith and share information stored on 
Plaintiffs’ and Class Members’ mobile devices. 

47. Defendant’s conduct, made the basis of this action, included acts of conversion 
whereby the Plaintiffs’ and Class Members’ mobile device data, which included Sensitive and 
Personally Identifiable Information, was obtained by Defendant, exercising dominion over such 
property, and providing to third parties for commercial gain, including an economic loss to 
Plaintiffs and Class Members by the Defendant’s sale of Plaintiffs’ and Class Members’ user 
data. 

48. Defendant OpenFeint’s conduct, made the bases of this action, was an act of 
negligence, including but not limited to, its failure to fulfill its contractual commitments to 
Plaintiffs and Class Members’ Personally Identifiable Information, privacy, and security, agreed 
upon within the terms of Defendant OpenFeint’s Terms of use and Privacy Policy for use of the 
App Markets. 

49. Defendant’s conduct, made the basis of this action, involved the unauthorized 
access to Plaintiffs and Class Members Electronic Communications with one (1) or more entities 
based in California, a conduct violation of the Unfair or Deceptive Acts in Violation of Each 
State's “Little FTC” Acts. 

50. Plaintiffs and Class Members own the right to possess the personal property, 
including but not limited to, Plaintiffs' and Class Members’ data, obtained by the Defendant who 
intentionally exercised dominion and control over such user data, deprived the Plaintiffs and 

OpenFeint Class Action Complaint 

18 . 



1 




2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 


Class Members of such possession and use, and caused damages to the Plaintiffs and Class 
Members. 

51. Plaintiffs and Class Members sought to maintain the secrecy and confidentiality 
of their Personal Information assets acquired by Defendant, which includes Personal Information 
(“PI”), Personally Identifiable Information (“PH”), Sensitive Identifying Information (“SII”), 
GPS “Fine” co-ordinates, derived in whole or part from linking their Unique Device Identifiers 
(“UDIDs”), to the Defendant OpenFeint user accounts, GPS “Fine” co-ordinates, and Facebook 
profile. 

52. The means by which Defendant obtained such information and the reasons 
Defendant engaged in its business practices made the basis of this action, demonstrate the 
confidential character of such information, users' efforts to protect it, and the economic value of 
Plaintiffs’ and Class Members’ data. 

53. Defendant’s conduct has caused economic loss to Plaintiffs and Class Members in 
that, in a barter economy in which users’ patronage (which is the subject of Defendant’s traffic 
measurement activities) is the currency with which users acquire ostensibly no-fee web services. 
Their patronage has independent economic value. In addition, inasmuch as Defendant 
wrongfully acquired Plaintiffs’ and Class Members’ patronage, Plaintiffs and Class Members 
were deprived of the opportunity to contribute their patronage to web entities that did not engage 
in such wrongful conduct. 
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54. Further, the Plaintiffs and Class Members’ electronic data, misappropriated by 
Defendant, and populated with their actual user data constitute assets with discemable values. 
Certainly given Defendant conduct. Defendant associate economic value with the Plaintiffs’ and 
Class Members UDID derived data. In addition, they even have specific valuations in criminal 
markets. For example, Symantec reported that in 2007 the illicit market value of a valid Hotmail 
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or Yahoo cookie was three dollars ($3.00). 

55. The aggregated loss and damage sustained by Plaintiffs and Class Members, 
individually and collectively, set forth above includes economic loss with an aggregated value of 
at least $5,000 during a one-year period. Defendant perpetrated the acts and omissions set forth 
in this complaint through an organized campaign of deployment, which constituted a single act. 

56. Defendant’s conduct, made the basis of this action, included acts of conversion 
whereby the Plaintiffs’ and Class Members’ mobile device data, which included sensitive and 
Personally Identifiable Information, was obtained by Defendant, exercising dominion over such 
property, and providing to third parties for commercial gain, including an economic loss to 
Plaintiffs and Class Members by the Defendant including but not limited to the following: 

• Bandwidth is the amount of data that can be transmitted across a channel 
in a set amount of time. Any transmission of information on the internet 
includes bandwidth. Similar to utility companies, such as power or water, 
the “pipeline” is a substantial capital expenditure, and bandwidth usage 
controls the pricing model. Hosting providers charge users for bandwidth 
because their upstream provider charges them and so forth until it reaches 
the “back bone providers.” Retail providers purchase it from wholesalers 
to sell its consumers. 

• Network provider's data plans charge consumers based upon items, such 
items as usage and “caps." A charge of $30.00 per month for an unlimited 
plan is standard, but limited plans have caps, such as: 256 GB per month. 

• Defendant’s tracking activity ads consume vast amounts of bandwidth, 
thereby slowing a user's internet connection by using their bandwidth. 

• Advertisers are now using the internet as their primary ad-delivery pipe by 
continually uploading and downloading data from its networks causing 
substantial bandwidth use. 

57. Defendant’s conduct, made the basis of this action, resulted in an act of Trespass 
to the Personal Property/ Chattel of the Plaintiffs and Class Members by obtaining user data and 
a mobile device “Fingerprint,” a practice of obtaining device information to perpetually identify 


27 


the mobile device. The Defendant’s actions were surreptitious, without notice and so were 



conducted without authorization and exceeding authorization. Defendant intentionally and 
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without consent, physically interfered with the use and enjoyment of personal property in the 
Plaintiffs’ possession, thereby harming Plaintiffs and Class Members. The interference with the 
Plaintiffs’ and Class Members’ property/ chattel resulted in harm to their interest in the physical 
condition, quality or value of the property/ chattel. 

58. Defendant OpenFeint’s Terms of Service and Privacy Policy does not provide 
notice that users’ mobile devices’ UDIDs shall be obtained for tracking purposes, and used to 
build a profile data collected of any and all users’ mobile device activities. Many Application 
Developers do not provide any Terms of Service and/or Privacy Policies. 

59. If Plaintiffs and Class Members were adequately informed of Defendant 
OpenFeint’s intrusive mobile tracking then they would not have enabled a mobile device 
application which was operated by Defendant OpenFeint. 


FACTUAL ALLEGATIONS 


A. Background 


60. “Kid Apps” are tracking millions of Minor Children , promoting “free” 
applications as a means to obtain their mobile device’s UDIDs and Personally Identifiable 
Information, by attracting minor children with storybook tales, friendly animals and child-like 
game scenarios to create a mobile ecosystem similar to a “virtual elementaiy school 
playground Many applications are being used as a ploy to obtain user’s mobile device’s UDIDs 
for financial gain. Defendant OpenFeint offers a mobile platform for applications to aggregate 
the user’s mobile device UDIDs and Personal Identifiable Information obtained by applications, 
to link UDIDs to GPS “Fine” co-ordinates and to Facebook and/ or Twitter profiles. 

61. In 1999, Intel released the “Pentium 3” and each processor included a unique 
serial number which could be read by software installed on the system. Intel was forced to 
remove this function after consumers, privacy groups, and legislative authorities voiced outrage 
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about privacy and security concerns. In 2008, Mobile Device Operating System Manufacturers 
started to include software with visible Unique Device Identifiers (“UDIDs”) within mobile 
devices. Coincidently, Mobile Device Operating System Manufacturers also began developing 
application “stores” and “markets,” launched as a service for the operating system devices, 
permitting mobile device users to download applications. 

62. Recent studies revealed that Mobile Device Operating System Manufacturers had, 
without authorization, transmitted, or allowed access to, UDIDs, permitting third parties to 
obtain mobile device users’ UDIDs. The “free” applications were being used as a tracking 
platform. Mobile Device Operating System Manufacturers, Advertising Networks, Web 
Analytics Vendors, Application Developers and Social Media affiliates; hereinafter referred to as 
the “Mobile Device Marketing Industry,” denied that obtaining a user’s mobile device’s UDIDs 
would permit mobile device tracking, and that user’s Personally Identifiable Information was 
being aggregated and linked to a user’s UDIDs, claiming UDIDs provided only “anonymous 
usage statistics.” 

63. Defendant OpenFeint is the largest mobile social gaming network, offering a 
mobile device platform that aggregates data; hereinafter referred to as a “Data Aggregator.” 
Defendant reports it is affiliated with in excess of five thousand three hundred (5,300) gaming 
applications involving one hundred million (100,000,000) users. Defendant OpenFeint 
aggregates data it obtains from users, provided in part by each of its affiliated applications. 
Defendant aggregates Personally Identifiable Information and links UDIDs to OpenFeint user 
accounts, linking UDIDs to GPS “Fine” co-ordinates (the user’s exact latitude and longitude), 
and linking UDIDs to Facebook and Twitter profiles, without notice or consent, to its users of its 
deceptive practices. Plaintiffs and Class Members are individuals that were harmed by Defendant 
OpenFeint. 
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64. This consumer class action involves a pattern of covert mobile device 
surveillance; wherein the Defendant OpenFeint operated individually, and in concert with, 
associated in fact. Application Developers and Application Developer Affiliates that targeted 
Plaintiffs and Class Members who downloaded applications affiliated with Defendant OpenFeint 
to knowingly, and without the user’s knowledge or consent, commit unauthorized transmittal, 
access, collection, and use of Plaintiffs’ and Class Members’ mobile device Unique Device 
Identifiers (“UDIDs”), to transmit a program, information, code, or command, to collect, 
monitor, and remotely store the Plaintiffs’ and Class Members’ aggregated Personally 
Identifiable Information link to their mobile device’s UDIDs, in order to “track” the Plaintiffs 
and Class Members for financial gains. 

65. Privacy and security concerns are further accentuated when it is known that 
Defendant OpenFeint implements GPS tracking involving “Fine” co-ordinates and that its acts 
are not limited to adults, but include minor children. Defendant OpenFeint targets minor children 
with free affiliated gaming applications designed and promoted as “Kid apps ,” purposely 
including storybook tales, friendly animals, and child-like game scenarios to attract children , so 
that the child’s parents would be more likely to allow for the app download, relying in part on 
the posted children app ratings. Many of Defendant OpenFeint’s gaming applications are rated 
4+,for ages four (4) and up, rated 9+ for ages nine (9) and up, and rated 12+for ages twelve 
and up. 

66. Most Defendant OpenFeint affiliated applications provide no terms of service, 
privacy policy, or a link to a website with such information; moreover Defendant OpenFeint fails 
to provide a link to its terms of service or privacy policy within its platform. Many of the 
Defendant OpenFeint applications are marketed for children 12 and under. Defendant 
OpenFeint’s platform allows forum postings, such as: 
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Rated 4+ - (For Ages Four and Up) 


Patrick, age 8: “I love these jumps!!!’ 



Giant Moto 

Rated 4+ 


67. Defendant OpenFeint’s plug and play social gaming platform provides 
functionality for applications to attract “ Kiddies ”: 


“Social and mobile incubator YouWeb, who has helped create OpenFeint, 
(company names redacted), is announcing its latest venture..” 

“..an educational game and iPad app that combines scrolling gameplay 
dynamics with musical notes to get the kiddies interested in learning 
music.” 


13 

14 


“The game itself is using sister company OpenFeint’s plug and play social 
gaming platform to allows players to compare their scores and ranking 
with other players around the world.” 
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Leena Rao, “YouWeb Incubated Pluto Plays Music Combines Gaming With Helping Kids Learn 
Music,” May 12, 2011 (last accessed May 24, 2011) online: 

http://techcrunch.com/2011/05/12/youweb-incubated-pluto-plays-music-combines-gaming-with- 
helping-kids-leam-music/ 


68. The Intel Pentium 3 crisis pales in comparison to the privacy and security 


19 

20 
21 
22 

23 

24 

25 

26 

27 

28 


violations caused by Defendant OpenFeint’s platform and data aggregation of one hundred 
million (100,000,000) users, including minor children. However, Defendant OpenFeint can no 
longer claim the data is anonymous. 

B. Mobile Device Tracking 

69. Traditional online advertising practices, such as the tracking of individual users 
across sessions and controlling the frequency and relevance of advertising presented to them, 
simply do not exist in the mobile Internet today. 

70. Mobile Internet advertising currently consists of streaming graphic files, in real 
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time, into content rendered by a user’s mobile device browser. Image and text call to action 
advertising tags that are embedded in the content at a publisher’s content management system. 
This occurs prior to delivery of the actual content to the user over the wireless network. Current 
mobile practice for many servers include ad serving systems to log delivery of user impressions 
when the ad tags are transmitted from the ad server, across the Internet to the publisher’s content 
system. 

71. Mobile advertising systems lack reliable browser tracking while traditional online 
advertising relies on the user’s browser cookies, implementations inherent in conventional 
implementations of mobile ad serving have effectively prevented mobile advertising from being 
effective. 

72. The lack of standard advertising metrics for mobile campaigns has discouraged 
online advertisers from taking advantage of the unique personalized nature of mobile devices and 
local content. This is due in part from the inability of the mobile advertising industry to 
incorporate web analytics. 

73. There are basically two approaches to collecting web analytics data. The first, 
“page tagging,” uses a small bit of JavaScript code placed on each web page to notify a third- 
party server when a page has been viewed by a web browser. Etags can be used in place of 
cookies. They are a part of caching in HTTP: The server sends the user the tag, and when the 
user accesses the resource again their web browser sends the tag back. The server uses the tag the 
browser sent to decide whether to send the user the data or provide data to the browser that the 
data hasn’t changed, and to keep using the old copy. 

74. The second, and more traditional, approach to web analytics is “log file analysis,” 
where the log files that Web servers use to record all server transactions are also used to analyze 
website traffic. 
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75. All Internet advertising, online or mobile, seeks “state maintenance” or the idea 
that the person/browser/phone that saw the ad performs some later activity. Because most mobile 
phones don’t support fully functional browsers, they also don’t obtain “uniqueness,” necessary to 
obtain “state maintenance.” Obtaining the user’s IP address won’t work because most mobile 
phones don’t have a public IP address. They access the web through Network Address 
Translation at the carrier, meaning that many phones are seen by the entire web as all one IP. 

76. In order to obtain “uniqueness” in mobile devices, the key was to obtain Unique 
Device Identifiers or “UDIDs,” a special type of identifier used in software applications to 
provide a unique reference number in mobile devices. Unlike traditional cookies, a user has no 
choice whatsoever here. A user can't opt-out, since it is always sent. It can’t be deleted since it 
always stays the same. A user can not block UDIDs from being transmitted, as they would in a 
browser, since it is hard coded into a user's phone software. Defendant OpenFeint accomplished 
the task of obtaining device uniqueness and reaped the benefits. 

77. With UDIDs, Application Developers were limited to a unique identifier, 
hereinafter referred to as a Global Unique Identifiers (“GUIDs”), which originates from a device 
registering at a website, online store, Web Analytic Vendors or by the ad networks. “GUIDs” 
created by Application Developers provides functionally that allows Application Developers to 
uniquely identify the user for purposes such as: storing application preferences or video game 
high scores, playlists, etc. In some cases, personal contact information and authorization to other 
linked accounts is also provided. This is so users don't need to register or log on. GUIDs 
facilitated the process of collecting and storing certain types of data, but also provides a tempting 
opportunity for use as a tracking agent to correlate with other Personally Identifiable Information 
but GUIDs are not UDIDs, nor do they have the benefits of UDIDs. 

78. UDID tracking is not exactly comparable to any other type of tracking by 
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advertising networks. It is not anonymous data - it is an exact ID that is unique to each physical 
device, and if merged with GPS data, it provides unlimited advertising opportunities. When 
tracking your location data on the mobile device, it is calculated to 8 decimal points that can be 
far more exact and accurate than any sort of geographically-based IP address look-up on the web. 
Instead of getting a general location, location data on a GPS-enabled mobile can identity your 
precise latitude and longitude. 

79. Advertising networks and mobile analytic companies obtain UDIDs to have 
visibility across all of its applications, so tracking is consistent regardless of an individual’s 
location or connection. It is not anonymous tracking since it runs at the application layer, the 
same layer that a web-browser already runs; therefore its stats involve information which has 
nothing to do with user metrics or usage. Security violations occur when the device identifier is 
combined with the following attributes: authenticated login information (e.g. a banking 
application can link UDIDs with a full banking consumer profile), (nick)name of aOS device 
owner, type of connection (e.g. Wi-Fi versus 3G), model type (version of mobile device), home 
address, phone number, and geo-location information. While UDIDs' existence is not nefarious, 
its use can be. 

80. The advertising and marketing industries have been strongly advancing technical 
means of synchronizing tracking code so that information about individual consumer behavior in 
cyberspace can be shared between companies and the UDID used in the majority of mobile 
devices would be put to this purpose. The records of many different companies are merged 
without the user’s knowledge or consent to provide an intrusive profile of activity on the 
computer. There are no practical limits on what can be collected or used. 

81. Many advertising and behavioral tracking systems that use UDIDs, without the 
customer’s knowledge or consent, brag about its ability to report on every action a user took 
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within an app: every button click, every page viewed, every table cell viewed, and the time a 
person took between each action, all sent back to the server without any notification or customer 
access to that information. Thus, UDIDs are most useful to people who want to track and collect 
user behavioral data without user notification or permission (ad networks and behavioral 
monitors). Since UDIDs are the same for every app on a device, this is a benefit to advertisers 
and other data aggregators. The mobile advertising world will no longer have to place a cookie to 
track a user across sites/apps because UDIDs are like a permanent cookie that the user cannot 
turn off. 

82. Application Developers and Application Developers Affiliates' technology, made 
the basis of this action, is basically using some of the modem HTML5 capabilities of mobile 
browsers to perform the same tasks as a traditional cookie, but out of sight of most users and 
while it is not technically a mobile cookie since it’s not browser based, is on the server side, thus 
it cannot be affected by anti-cookie technologies employed by carriers such as gateway stripping 
(a technique that renders the cookies useless or unreliable for ad targeting), and preventing users 
from deleting them. Wireless carriers typically prevent outside firms from embedding such 
information in mobile devices. In order to get around the carriers, it embeds its digital code in 
servers rather than browsers, since most mobile devices forbid the use of third party software in 
Applications to collect and send Device Data to a third party for processing or analysis, banning 
'Third Party" Analytics. 

83. In a non-technical version, Application Developer’s Affiliates have its 
Application Developers include a small JavaScript in its application. An invisible iFrame is 
created which loads code from the application. It determines if it has seen the user before and 
initiates a database (for the domain) and then communicates through iFrame message-passing to 
its client that it should create a mirror of this database for the application domain. 
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84. Application Developer’s Affiliates develop and sell tools to track, collect (and 
store) data and analyze mobile and Internet-enabled apps to facilitate advertising or assist 
developers build applications. In the final analysis, the developer/application publisher should 
also be held responsible for any and all data privacy violations. 

85. By piggy backing on applications. Application Developer’s Affiliates gain access 
to the richest customer metrics with the shortest distance to customer purchase decisions and the 
sales funnel. Web analytic vendors track app usage, but also attract advertisers for third-party 
applications and Application Developer’s Affiliates service itself. In addition to ad-insertion 
technology, the web analytics vendor is involved in the ad network. Mobile analytics’ purpose is 
an optimization tool to help increase app downloads and sales. 

86. Developing an account creation system is time consuming and costly. Therefore, 
in order to save time and money, the majority of Application Developers who do not need multi¬ 
device accounts choose to use UDIDs instead of its own GUIDs. As such, Defendant OpenFeint 

I incentivizes developers to use the UDID by not providing them with a similarly useful privacy- 
enhanced customer identification tool. Privacy risks associated with the use of UDIDs could 
have been mitigated by Defendant OpenFeint by using an identifier that was unique for the 
combination of application and device if the device returned to a program different for each app. 

87. Application Developer's Affiliates offer “free” software development kits 
(hereinafter referred to as “SDKs”) that Application Developers download and insert into its 
application. A software development kit (“SDK”) is typically a set of development tools that 
allows for the creation of applications for a certain software package, software framework, 
hardware platform, computer system, video game console, operating system, or similar platform. 
It may be something as simple as an application programming interface (API), in the form of 
some files, to interface to a particular programming language or include sophisticated hardware 
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to communicate with a certain embedded system. Often SDKs can be downloaded directly via 
the Internet. Many SDKs are provided for free to encourage Application Developers to use the 
Application Developer Affiliates system or language. 
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88. The spectrum of mobile analytics involves: “application analytics” aimed at 

Application Developers; “campaign analytics” aimed at optimizing tools for media companies; 
and “service analytics” aimed at providing platforms for data mining networks or mobile device 
data. 
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89. SDKs though provided Application Developer Affiliates the access to Application 
users when Application Developers downloaded the Application Developer Affiliates’ SDKs 
into its application; such provided the ability to obtain the Plaintiffs’ and Class Members’ UDID 
and to conduct cross application tracking, activities made the basis of this action. 

90. The SDKs also involve tracking libraries, whose sole purpose is to collect and 
compile statistics on application uses and usage, and send the device ID as part of their 
functionality. Most of these libraries are used to display advertisements so as to provide revenue 
for the Application Developer; and the mechanism for the libraries to also provide the mobile 
device’s UDID once the user installed applications. 

91. The SDKs enable Application Developers to track usage of its app in real time, as 
if it were a website. First, the Application Developer identifies the places in its app where it 
would like to trigger a page view or an event, and then uses the SDKs to send these events to 
Web Analytics Vendors. 

92. Client libraries available for Applications were created using open source SDKs 
for consistency and easy integration. The client libraries also provide flexibility for deeper 
integrations and customization. Once integrated with an app, the client library sends function 
calls (Required: open, upload, close. Optional: tagEvent, setOptln / isOptln) to control a session. 
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C. UDIDs Tracking Studies 

97. Mobile tracking entities attempt to claim their transactions are anonymous and 
thoroughly randomized. However, recent studies exposed those mobile tracking entities’ 
business practices with Application Developers, Advertising Networks, and Web Analytic 
Vendors, such as those associated with Defendant OpenFeint, do not confirm this opinion. 

98. On September 28, 2010, a joint study by Intel Labs, Penn State, and Duke 
University was released. The study identified that publicly available cell-phone applications from 
application markets were releasing consumers’ private information to online advertisers. In a 
study of 30 popular applications, TaintDroid revealed that 15 applications send users’ geographic 
location to remote advertisement servers. The researchers were only able to monitor Android 
apps because its operating system is an open source. That allowed them to develop TaintDroid, 
software that labels, or taints, data from privacy-sensitive sources so it can be monitored in real 
time. The study also found that seven of the 30 applications send a unique phone (hardware) 
identifier. 

• “Our experimentation indicates these fifteen applications collect location data and 

send it to advertisement servers. In some cases, location data was transmitted to advertisement 

servers even when no advertisement was displayed in the application.” 

William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick 
McDaniel, Anmol N. Sheth, “TaintDroid: An Information-Flow Tracking System for Realtime 
Privacy Monitoring on Smartphones” (last accessed May 25, 2010), online: 
http://www.appanalvsis.org/tdroid 10.pdf 

99. On October 1,2010, a second study written by Eric Smith, Assistant Director of 
Information Security and Networking at Bucknell University, raised similar privacy questions 
about how Unique Device Identifiers (“UDIDs”) could be used to track how customers use 
applications associated with the device, and how developers can access a device UDID and 

correlate it with Personally Identifiable Information: 
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“A number of applications which have the potential to map UDID 
to user identity were studied to determine if they are actively 
collecting UDID data. UDID collection by applications requesting 
user credentials. Of the applications evaluated in this study that 
collected UDIDs require users to log in, and have personally- 
identiflable information affiliated with user accounts, 30% clearly 
transmit UDIDs; the rest used SSL to encrypt data transmission.” 


5 

6 
7 


“Of those, 68 percent transmitted UDIDs to servers under the 
control of developers or advertisers, while another 18 percent sent 
encrypted data that could have included the unique serial number. 
Just 14 percent of the apps were confirmed not to send UDIDs.” 


8 

9 

10 


“It is clear from this data that most mobile device application 
vendors are collecting and remotely storing UDID data, and that 
some of these vendors also have the ability to correlate the UDID 
to a real-world identity.” 


11 

12 

13 

14 


“A number of the applications considered in this study requested 
access to the on-board GPS receiver. Several such applications - 
games, for example — had no obvious need for this information. In 
several cases, applications which transmitted UDIDs were 
observed to transmit the mobile device’s latitude and longitude as 
well.” 


15 

16 


Eric Smith, “iPhone Applications & Privacy Issues: An Analysis of Application Transmission of 
iPhone Unique Device Identifiers (UDIDs)” (last accessed May 25, 2010), online: 
http://www.pski.us/wp/wp-content/uploads/2010/09/Android-Applications-Privacv-Issues.pdf 
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100. On December 17, 2010, a third study by David Campbell and Ashkan Soltani 


18 


revealed that OpenFeint application were transmitting UDIDs: 
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“An examination oflOl popular smartphone “apps”—games and 
other software applications for Android and Android phones— 
showed that 56 transmitted the phone’s unique device ID to other 
companies without users’ awareness or consent. Forty-seven apps 
transmitted the phone’s location in some way. Five sent age, 
gender and other personal details to outsiders.” 


23 

24 

25 


“Many apps don't offer even a basic form of consumer protection: 
written privacy policies. Forty-five of the 101 apps didn’t provide 
privacy policies on their websites or inside the apps at the time of 
testing. OpenFeint requires app privacy policies to?” 


26 

27 


David Campbell and Ashkan Soltani, Electric AIchemy.net, “The Journal’s Cellphone Testing 
Methodology,” (last accessed May 25, 2011), online: 

http://online.wsi.eom/article/SB100014240527487Q4034804576025951767626460.htmi 
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101. On January 24, 2011, a fourth study by the Vienna University of Technology, 


2 


Austria was released which confirmed previous studies that Android applications were obtaining 
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UDIDs: 
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“To show the feasibility of our approach, we have analyzed more 
than 1400 Android applications. Our results demonstrate that a 
majority of application leak the device ID.” 

“While not directly written by an application developer, libraries 
that leak device IDs still pose a privacy risk to users. This is 
because the company that is running the advertisement or statistics 
service has the possibility to aggregate detailed application usage 
profiles. In particular, for a popular library, the advertiser could 
learn precisely which subset of applications (that include this 
library) are installed on which devices. For example, in our 
evaluation data set, AdMob is the most-widely-used library to 
serve advertisements. That is, 82% of the applications that rely on 
third-party advertising libraries include AdMob. Since each request 
to the third-party server includes the unique device ID and the 
application ID, AdMob can easily aggregate which applications are 
used on any given device.” 

“Obviously, the device ID cannot immediately be linked to a 
particular user. However, there is always the risk that such a 
connection can be made by leveraging additional information. For 
example, AdMob was recently acquired by OpenFeint. Hence, if a 
user happens to have an active OpenFeint account and uses her 
device to access OpenFeint’s services (e.g., by using GMail), it 
now becomes possible for OpenFeint to tie this user account to a 
mobile phone device. As a result, the information collected 
through the ad service can be used to obtain a detailed overview of 
who is using which applications. Similar considerations apply to 
many other services (such as social networks like Facebook) that 
have the potential to link a device ID to a user profile (assuming 
the user has installed the social networking application). The 
aforementioned privacy risk could be mitigated by OpenFeint if an 
identifier would be used that is unique for the combination of 
application and device. That is, the device ID returned to a 
program should be different for each application.” 

“The unique device ID of the phone is treated differently and more 
than half of the applications leak this information (often because of 
advertisement and tracking libraries that are bundled with the 
application). While these IDs cannot be directly linked to a user’s 
identity, they allow third parties to profile user behavior. 

Moreover, there is always the risk that outside information can be 
used to eventually make the connection between the device ID and 
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early users.” 

Jason Chen “Aurora Feint iPhone App Delisted For Lousy Security Practices” June 23, 2008, 
(last accessed May 28, 2011) online: http://gizmodo.com/5028459/aurora-feint-iphone-app- 
delisted-for-lousv-securi tv-practices 

104. The Defendant OpenFeint is aiming to do the same thing for mobile in-game 
purchases that was done for computer based games: provide developers with a free set of tools to 
implement important features without the cost of managing these elements themselves. By using 
the “OpenFeint SDK,” mobile game developers can transform traditional stand-alone mobile 
games into interactive social online games, cross-promote their games, eventually monetize users 
with the sale of virtual goods and virtual currency, display advertisements, and include additional 
revenue-making activities. 

105. Defendant OpenFeint’s platform creates a central network for “gamers” to 
incorporate social networking capabilities, allowing the ability to import friends from a user’s 
Facebook and/ or Twitter profile so as to leverage social networking services. Application 
Developers integrate Defendant OpenFeint platform because it adds a social layer to their apps 
allowing access to Facebook and Twitter profile pages, Facebook-like walls for others to write 
on, and the ability to chat in games. OpenFeint works as a ‘layer’ on top of the actual game using 
a multi-layered interface. OpenFeint enabled games have the option of including a badge on the 
comer of the game’s icon consisting of the OpenFeint logo, initially visible to the user after they 
begin to download applications. 

106. Mobile Device Operating System Manufacturers developed application programs 
which are preinstalled on most devices and allow users to browse and download apps published 
by third-party developers. Users downloaded the applications which then provided access to 
Defendant OpenFeint. 

107. The “Android Market” is a mobile application site developed by Google for 

Android devices, and the “iTunes Store” was developed by Apple to provide apps for mobile 
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devices; hereinafter collectively referred to as the “App Markets.” Defendant OpenFeint provides 
a platform for both the iTunes Store and Android Market applications; hereinafter referred 
collectively to as the “OpenFeint Platform.” 

108. Mobile devices run applications written by third-party developers and distributed 
through the App Markets. Once developers have signed up, they can make their applications 
available immediately without a lengthy approval process. When an application is installed, the 
App Markets display all required permissions. The user can then decide whether to install the 
application based on those permissions. The user may decide not to install an application whose 
permission requirements seem excessive or unnecessary, i.e. a game may need to enable 
vibration, but few applications would have any plausible reason to access a user s “Fine” 
location GPS, which refers to the user's exact location and latitude. Possible app permissions 
include functionality such as: 

• Accessing the Internet 

• Making phone calls 

• Sending SMS messages 

• Reading and writing to the installed memory card 

• Accessing a user's address book data 

109. The application's implementation details are self-contained Package files. Neither 
the App Markets, nor the OpenFeint platform install applications itself, rather the phone's 
Package Manager Service installs the applications. The package manager can be seen directly if 
the user tries to download an APK file directly to their phone. Applications can be installed to 

| the phone's internal storage, and can also be installed to the owner’s external storage card. 

110. Application Developers must initially obtain an OpenFeint certification that its 

App complies with OpenFeint's developer policies. The OpenFeint's platform stresses that it 

requires an approval for process Application Developers to have their applications listed. In all 

actuality though, Defendant OpenFeint platform fails to screen its Apps. 

_ 111. Defendant OpenFeint's platform provides a Software Developer Kit (“SDK”) that 
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allows the apps the ability to import the tracking code into apps to track Plaintiffs and Class 
Members’ mobile device activity. The OpenFeint Software Development Kit License Agreement 
and its Terms and Conditions provide assurances to Plaintiffs and Class Members of OpenFeint’s 
contractual obligation to protect the privacy and security of its Users. 

112. Defendant OpenFeint’s “sandboxing mechanism”, a technique to create a 
configured execution environment, attempts to limit access to other application data by 
preventing third party applications from seeing each other or accessing specific locations; 
however such prevention serves no purpose when Defendant combines the UDIDs and mobile 
device data derived from the sandboxing mechanism. 

113. Ad Networks and Web Analytics Vendors are associated with a multitude of 
Defendant OpenFeint applications and are thus able to cross-track user's mobile devices, 
accessing the user’s UDIDs, making it possible to track users even when they change their 
device. 

114. The device unique identifier is obtained through the Defendant OpenFeint’s 
SDK's API. It may be used to aggregate data collected from various applications and analytics 
frameworks. Applications are able to know which other applications users have added and 
implemented. Users are now having their computer’s unique identifier transmitted to Ad 
Networks and Web Analytics vendors, without their notice or consent. 

115. While Mobile Device Operating System Manufacturers requires its apps to notify 
users before they download the app regarding the data sources the app intends to access, it does 
not gently require apps to ask permission to access some forms of the device's IDs, or to send it 
to third parties. When smartphone users let an app see their location, apps generally don't 
disclose if they will pass the location to ad companies, thus avoiding the manifest file. From an 
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advertiser perspective, the ID-related data collection enables the tracking and optimization of I 
mobile ad campaigns. 

116. The Mobile Device Operating System Manufacturers is therefore used to 
obfuscate the privacy and security settings of the user’s mobile device, such as the Application 
Developer’s ability to write code to get the MAC address of the phone. Multiple applications 
from that same developer can also send the same UDID to the developer’s servers. Mobile 
device operating system manufacturers do not provide controls to adequately protect users’ 
sensitive data. 

117. Mobile device operating system manufacturers require permission be granted by 
the user to allow applications access to some specific types of user data, but not all. The current 
model where permissions are granted to applications combined with the way third party libraries, 
such as mobile ad network libraries, request many different types of information which sets up a 
situation where the ad network will get the information if the application needs it to operate. 

118. Application Developers must initially register their applications on 
Api.openfeint.com and may add OpenFeint as either a framework or an individual source file. 
Defendant OpenFeint’s Developer Dashboard is the center of activity for developers working 
with Defendant OpenFeint. From here they will create their free developer account, download 
the Defendant OpenFeint SDK, and manage server side components of their projects. Defendant 
OpenFeint’s source code, a static framework, is released under the Terms of the GNU Lesser 
General Public License, which does not allow static linking, while Mobile Device Operating 
System Manufacturers forbid dynamic linking. Defendant OpenFeint’s framework includes, but 
is not limited to, the following: 

a. Iibsqlite3.0.dylib 

b. AddressBook 

c. AddressBookUI 
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e. Mapkit 

f. Libz .1.2.3. dylib 

119. Any application affiliated with Defendant OpenFeint will initially provide a pop¬ 
up requesting the user enable Defendant OpenFeint. If such is authorized, then there is a pop-up 
enabling Defendant OpenFeint geo-location before the application being downloaded requests 
access to geo-location. Mobile Device Operating System Manufacturers have strict guidelines it 
provides to applications that request the user’s geo-location. Defendant OpenFeint was not 
permitted by Mobile Device Operating System Manufacturers to obtain the user’s geo-location in 
lieu of the applications. 

120. A common flow of events when a user first starts an OpenFeint-enabled 
application is as follows: 

1) An OpenFeint screen pops up, prompting an account for the user to log in. 

2) On the same screen, there is an option the user can select to configure 
OpenFeint to use location data or not. 

3) If the user elects to allow OpenFeint to use location data, OpenFeint will 
attempt to access the user’s location. At this point, the user will be prompted to allow the 
application to access their location data. The reason for this two-step process is that the device 
considers the application and OpenFeint to be one and the same entity. 

121. Mobile device operating system manufacturers generally collect 30%, of app 
purchases and the Application Developer divides the remaining 70% with Defendant OpenFeint, 
of which Defendant OpenFeint receives 15% on paid apps. Defendant OpenFeint’s “One Touch 
iPromote,” gives users the ability to find and buy other OpenFeint-supported games their friends 
are playing, inviting other users into “lobbies,” where everyone can see what everyone else is 

playing. A user can then decide to play the same game or click on the link to buy it. One touch 
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iPromote is based on revenue sharing. When a user clicks on a game in a lobby and then goes on 

to buy that game, the developer and Defendant OpenFeint will get a percentage of that sale. 

Defendant OpenFeint wants user’s transactions and funds to occur within the Defendant 

OpenFeint interface as opposed to strictly within the App Markets. For app developers, the 

tradeoff is the benefit of not having to create complex art assets or a storefront design. Instead, 

they will just be able to include it with all the other OpenFeint plug-ins. 

OpenFeint, OpenFeint Developers site. Last Updated: April 19, 2011 (last accessed May 25, 
2011), Online: http://support.openfeint.com/dev/ofx-billing-faq/ 

E. OpenFeint Tracking 

122. When studies revealed in 2010 that Mobile Device’s Operating Systems were 
“leaking” user’s UDIDs to third parties by using the “free” downloaded apps as a ploy to draw a 
user base and the app platform as a routing port to conduct these activities, the mobile marketing 
industry downplayed the significance of the findings by claiming such was “anonymous” and 
that user’s Personally Identifiable Information was not being linked to the user’s UDIDs. Since 
the studies only revealed the source of the “leak” and its destination, there was no research that 
revealed the mobile industry's actual business practices of aggregation of user’s data and the 
process of linking user’s Personally Identifiable Information after the user’s UDIDs were 
obtained until the recent “Cortesi Study.” 

123. Cortesi examined the Application Programming Interfaces (API) and the data 
that was passed back and forth, specifically concentrating on Unique Device Identifier 
(UDIDs) and how it could be associated (or “linkable”) to other identifying data sets. UDIDs 
by itself don’t expose personal data, but to the extent that it's linked to other information 
about the mobile device’s user, it can function like a permanent cookie used in non-mobile 
tracking. Cortesi demonstrated a “linkability” between UDIDs and GPS co-ordinates, 

exposing a geo-location privacy risk to the person who carries the device, and a linkability to 
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Facebook and/ or Twitter profiles and profile pictures: 
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“The most common destination for traffic containing a user’s UDID is 
Apple itself, followed by the Flurry mobile analytics network and 
OpenFeint , a mobile social gaming company. These companies are uber- 
aggregators of UDID-linked user information, because so many apps use 
their APIs. 

When an OpenFeint-enabled app is first fired up, it submits the device's 
UDID to OpenFeint’s servers, which then return a list of associated 
accounts: https://api.openfeint.com/users/for device.xml?udid=XXX 

This is a completely unauthenticated call - you can try it out by cutting and 
pasting it into your browser, replacing XXX with your own UDID. Here's 
an example of the response for my UDID, with sensitive information 
removed: 
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<?xml version-'1.0" encoding="UTF-8''?> 

<resources> 

<user> 

<chat_enabled>true</chat_enabled> 

<gamer_score>XXX</gamer_score> 

<id>XXX</id> 

<Iast_played_game_id>187402</last_pLayed_ganieJd> 
<last_played_game name>tiny wings</last_played_game_name> 
<Iat>XXX</lat> 

<Ing>XXX</Ing> 

<onIine>false</onIine> 

<profne_picture_source>FbconnectCredential</profiIe_picture_source 

> 

<profile_picture_updated_at>XXX</profiIe_picture_updated_at> 
<prof11e_pictu re_u r!>http ://XXX> 
<upIoaded_profiIe_picture_content_type nil="true"> 
</upIoaded_profiIe_picture_content_type> 
<upIoaded_profiIe_picture_file_name nil="true"> 
</uploaded_profiIe_picture file name> 
<upIoadedjprofiIe_picture_fHe_size nil="true"> 
</uploaded_profiJe_picture_fiIe_size> 
<upIoadedjprofile_picture_updated_at nil=''true''> 
</uploaded_profiIe_picture_updated_at> 

<name>XXX</name> 

</user> 

</resources> 

Included is my latitude and longitude, the last game I played, my chosen 
account name, and my Facebook profile picture URL. 

Linking UDIDs to GPS co-ordinates 
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If the user has opted to allow OpenFeint to use their location, latitude and 
longitude is returned in the profile results. This lets us trivially associate a 
UDID with GPS co-ordinates. 

The location leak was fixed by OpenFeint after my report. Although some 
portions of the OpenFeint API still returns a user location , it seems that it 
is no longer served for direct profile requests. 

Linking UDIDs to Facebook profiles 

If the user registered a Facebook account with OpenFeint, a profile picture 
URL hosted by the Facebook CDN was returned in the user's profile data. 
Facebook profile picture URLs include the user's Facebook ID, directly 
linking it to their Facebook account. 

This step represents a complete de-anonymization of the UDID, directly 
linking the supposedly anonymous identifier with a user's real-world 
identity. 

The Facebook ID leak was fixed by OpenFeint after my report. 

OpenFeint’s response 

I reported this problem to OpenFeint on 5th of April. 1 did not hear back 
from them immediately, but I knew they were working on the problem 
because their API stopped returning GPS coordinates and Facebook 
profile picture URLs. On the 12th, I received an email from Jason Citron, 
OpenFeint's CEO, who wanted to set up a phone conversation with me, 
him and an OpenFeint legal representative. We spoke on the evening of 
the 20th of april. i recapped my findings and expressed concern that their 
api still linked udids to user accounts. They thanked me for the 
vulnerability report, confirmed that they had tightened their API in 
response to it, and asked for more time to consider the issue before I 
released anything. The following morning, it was announced that 
OpenFeint had been bought by GREE for $104 million. 

Impact 

I was able to link roughly 30% of UDIDs to GPS co-ordinates, 20% of 
users to a weak identity (e.g. OpenFeint profile picture, user-chosen 
account name), and 10% of UDIDs directly to a Facebook profile. 

We can make a broad guess at the magnitude of the problem, based on the 
fact that OpenFeint claims to have 75 million users: This would mean that 
about 7.5 million users may have had Facebook accounts linked publicly 
to their UDIDs until OpenFeint stopped returning profile picture URLs a 
few weeks ago. 

About 22.5 million users may have had GPS co-ordinates linked publicly 
to their UDIDs until the issue was corrected. 











communication. Second, and more importantly, the Mobile Device Operating System 
Manufacturers’ permissions structure does not distinguish between the application and 
OpenFeint; it is all seen as one unit. 

126. Traditional online advertising does not obtain user’s mobile devices UDIDs. 

Defendant OpenFeint’s objective was to obtain a mobile device’s “Fingerprint,” a practice of 

obtaining mobile device information to perpetually identify the mobile device as identification, 

which can then be linked to additional data elements to identify “Personally Identifiable 

Information” (“PH”), Personal Information and/ or Sensitive Information: 

“If we ask whether a fact about a person identifies that person, it turns out 
that the answer isn ’t simply yes or no. If all I know about a person is their 
ZIP code, I don 7 know who they are. If all I know is their date of birth, I 
don 7 know who they are. If all I know is their gender, I don 7 know who 
they are. But it turns out that if I know these three things about a person, I 
could probably deduce their identity! Each of the facts is partially 
identifying. ” 

Electronic Frontier Foundation, Technical Analysis by Peter Eckersley, “A Primer on 
Information Theory and Privacy” (last accessed April 15, 2011), online: 
http://www.eff.org/deeplinks/2010/01 /primer-information-theory-and-privacv 

127. Defendant OpenFeint’s SDK is downloaded within the client application by the 
Application Developer; however it is not known whether such occurs before or after it is 
submitted to the App Markets for review. The review may not include Defendant OpenFeint’s 
SDK that contains tools and codes for Application Developers use that are not included in the 
distributed apps. 

128. The use of mobile device identifiers linked to specific user data concerns 87% of 
all Americans who can be uniquely identified if date of birth, gender and geographic location is 


known. 


“Uniqueness of Simple Demographics in the U.S. Population by: Latanya 
Sweeney. LIDAP-WP4 Carnegie Mellon University, Laboratory for 
International Data Privacy, Pittsburgh, PA: 2000 (1000)“ 

129. Defendant OpenFeint’s API is split into two parts. The first is entirely 
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unauthenticated; the second is authenticated with the credentials of the Application Developer. 
After the Cortesi Study, the unauthenticated part of OpenFeint’s API stopped returning latitude 
and longitude that could be viewed by analyzing unauthenticated credentials. Without the ability 
to analyze the latitude and longitude obtained, the application’s authenticated credentials were 
now provided to Defendant OpenFeint. There still exists a need for the user to inspect the traffic 
from their mobile device during normal use to determine whether the authenticated portions of 
Defendant OpenFeint’s API do still return latitude and longitude for other users (for example, 
“friends” of the current user) obtaining a latitude and longitude for an arbitrary user. 

130. Mobile Device Operating System Manufacturers that operate the App Markets 
explicitly tell Application Developers that they must not publicly associate a mobile device’s 
unique identifier with a user account to ensure privacy. Mobile Device Operating System 
Manufacturers make the UDIDs available through an API call, originated from the application, 
only after the application has been screened and provided contractual assurances that it will abidi 
by the App Market’s Terms of Licensing Agreement. However, Defendant OpenFeint was not a 
party to this original Licensing Agreement. Defendant OpenFeint SDK's software bundle was 
not included in the Mobile Device Operating System, nor the approved app, as such the Mobile 
Device Operating System Manufacturers that operate the App Markets allowed only the 
applications to use its API call to access the user’s UDIDs. 

131. Both parts of Defendant OpenFeint’s API are intended for use by OpenFeint 
applications, but because of the way they designed their protocols, one part of it has no 
authentication. “Deeper” parts of the API can be authenticated using the app developer’s 
credentials (i.e. using the same credentials for all installed instances of the app), and supported 
by observing the traffic flowing to and from a user’s phone in motion. 

132. OpenFeint does not have a contract with the Mobile Device Operating Service 
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Manufacturers to access any of the mobile device data that is permitted by the applications. 
Defendant OpenFeint must use its SDK to circumvent the security protections created by the 
Mobile Device Operating System Manufacturers. 

133. The largest risk is that OpenFeint is returning all of this data unauthenticated. 
Third parties can query, based on UDIDs, and obtain this information. A user’s information is 
exposed on the internet and therefore a huge privacy risk. Moreover, Defendant OpenFeint 
“hogs” the Plaintiffs’ and Class Members’ bandwidth to conduct its unauthorized marketing 
practices: 

• 84% of apps tested contacted one or more domains during use. At the extreme 
end, iDestroy contacted 14 domains, including 3 different ad networks and OpenFeint. 

• 74% of apps tested sent the device UD1D to one or more domains. 

• 46% of apps that transmitted UDIDs did so in the clear. 

• 54% of apps transmitting UDIDs used encryption for all UDID traffic. 

Aldo Cortesi, “How UDIDs are used: a survey” May 19, 2011 (last accessed May 29, 2011) 
online: http://corte.si/posts/securitv/apple-udid-survev/ 

134. An additional privacy risk is when the data goes “upstream” from OpenFeint 
servers - only OpenFeint knows where the data goes after it hits their databases. Defendant 
OpenFeint provides “cloud storage” for data by using “The OpenFeint Network Save Card 
service,” and providing a simple API that enables an application to save a “blob” of data to the 
server and retrieve it later. Each blob is associated with a specific application, a specific user, 
and a key name chosen by the application. An application can only access blobs that it has 
created and only those that are associated with the current user. OpenFeint Network Save Card 
can be thought of as simple flat file system that follows a user account around the network and 
restores application specific data to a game even if the account shows up on a different device. 
Defendant OpenFeint’s the OFCloudStorage module allows you to store arbitrary game data on 
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OpenFeint servers. It is primarily intended for saving games. The module is represented by the 
include/OFCloudStorage.h header file. Each blob is distinguished by a key name unique within 
the context of the current application and user. The blob of data itself is passed through the API 
as an NSData object consisting of whatever binary data the application may store. 

2. Linking UDIDs to GPS Co-ordinates 

135. Plaintiffs and Class Members were not provided adequate notice, nor consented 
to, Defendant OpenFeint obtaining their “Fine” GPS co-ordinates, nor linking such to their 
mobile devices’ UDIDs. Minor children’s parents were not aware their children's exact location 
was being accessed for tracking. 

136. Defendant OpenFeint obtained Plaintiffs’ and Class Members’ “Fine” GPS co- 
; ordinates under false pretenses, by promoting its geo-location functionality as a means to play 
gamers “near you” or “near” the user's location; thus user’s expected Defendant OpenFeint 
would obtain “coarse” co-ordinates that only provide a range within a city/ zip code. Although in 
actuality, Defendant OpenFeint used such as a ploy to obtain the user’s exact latitude and 
longitude for tracking purposes, and in order to link such to their mobile device’s UDIDs. 

137. While “Tom-Tom” like mapping applications do require “Fine” co-ordinates, 
obtaining the exact latitude and longitude within a few feet of the user, most applications such as 
weather applications, require only coarse co-ordinates. Defendant OpenFeint’s promotions were 
misleading: 

• “Geo-location Leaderboards. FINALLY! We had this feature 5 months ago before 
decide to switch to OF. Users love to know others play not far.” 
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Slava Bushtruk, iOS Dev Tips “Why Open Feint 2.4 rocks” Dec 25, 2009 (last accessed May 24, 
2011), online: http://iPhone-dev-tips.alterplav.com/2009/ 12/whv-open-feint-24-rocks.html 

• Readme for OpenFeint iOS SDK 2.10.1 

• Ceolocation 

• Allow players to compete with players nearby. 

• Distance based leaderboards. 

• Map view with player scores near you. 

OpenFeint Developers Site, “Readme for OpenFeint iOS SDK 2.10.1” Last Updated: March 18, 
2011 (last accessed May 24, 2011), online: http://support.openfeint.com/dev/readme-for- 
openfeint-ios-sdk-2-10-1/ 

138. Minor children, nor their parents, that provided Defendant OpenFeint with their 
co-ordinates to play fellow games in their region or city were aware that their exact latitude and 
longitude was being obtained and being used as a tracking device, causing serious privacy 
violations and security risks involving millions of minor children. 

139. Permission to access location data is granted to the application by a popup 
displayed to the user. Defendant OpenFeint*s code running within the application may or may 
not then use this location information to send lat/long its servers. The app has its own code and 
the OpenFeint code is put inside the app code. Defendant OpenFeint’s server exists at its 
operation location; thus Defendant OpenFeint's code is within the app code that sends the data it 
obtains to its server. 

140. In this case, the user’s latitude and longitude is requested directly from the 
device's GPS, through the developer API. No request is made “upstream” to the Mobile Device 
Operating System Manufacturer or carrier. Mobile device operating system manufacturers API’s 
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design prevents applications from doing this unless user consent has been given. The user’s 
latitude and longitude is fme-grained; risking a “leak” since it was able to be obtained through an 
unauthenticated API call. 

141. Both UDID and location data can be requested locally from the device. The 
information is read from local hardware, so a request is made to the mobile device operating 
system but not to mobile device operating system manufacturer’s servers. 

142. After the Cortesi Study, the unauthenticated part of Defendant OpenFeint’s API 
stopped returning unauthenticated latitude and longitude; thus evidencing Defendant 
OpenFeint’s knowledge that such permissions were not enabled by Plaintiffs and Class 
Members, and of its ability to immediately cease such collection when notice of its act was 
reported to them. However, Defendant OpenFeint still obtains latitude and longitude, still obtains 
UDIDs, still aggregates data, and still links such to the user’s UDIDs. 

143. Defendant OpenFeint is a gaming platform that does not need GPS “Fine” 
location linkage data, does not need to store it, nor create security risks by returning all of this 
data unauthenticated through API calls that is obtained by a query on a user's UDIDs. OpenFeint 
still aggregates UDIDs with GPS co-ordinates since it is still aggregating latitude/ longitude and 
UDIDs. Portions of their API still returns user-associated GPS data, evidenced by passively 
observing the traffic leaving and entering a phone during normal use. Such is a huge privacy risk, 
exposing a user’s information to any associated entity on the internet. 

3. Linking UDIDs to Facebook Profiles or Twitter 

144. Plaintiffs and Class Members were not provided adequate notice, nor consented 
to, Defendant OpenFeint obtaining their Facebook or Twitter profiles, nor linking their mobile 
device’s UDIDs to their Facebook and/ or Twitter profiles. Minor children’s parents were not 
aware that their children’s Facebook was being accessed for tracking. 
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145. Defendant OpenFeint obtained Plaintiffs’ and Class Members’ Facebook and/ or 
Twitter profiles under false pretenses by promoting its Facebook/ Twitter functionality as a 
means to associate with, and invite Facebook and/ or Twitter friends to play games. In actuality 
though, Defendant OpenFeint used such as a ploy to “scrape” the Plaintiffs’ and Class Members’ 
Facebook and/ or Twitter profile for Personally Identifiable Information, including but not 
limited to a user’s pictures, in order to link such to their mobile device’s UDIDs. 

146. Defendant OpenFeint links UDIDs to Facebook accounts because users are still 
presented with the option to link their Facebook accounts to determine if their friends are playing 
the same Defendant OpenFeint affiliated gaming applications. Defendant OpenFeint then knows 
which accounts have which UDIDs, and which Facebook profiles are linked with which 
accounts, ergo, they can link Facebook profiles to UDIDs. Defendant OpenFeint only serves up 
an image through the Facebook Content Distribution Network (CDN). However, the CDN 
embeds the Facebook profile ID into the URL image thus giving the information needed to link 
back to a profile and a name. 

147. Plaintiffs and Class Members that enabled Defendant OpenFeint to link Facebook 
connect should have been provided adequate disclosure of what data would be transferred back 
and forth. 

148. Defendant OpenFeint obtained the Plaintiffs’ and Class Members’ pictures so as 
to link the identifier to the mobile device's owner’s Facebook profile, which effectively puts a 
face behind that string of numbers and letters, thus creating a permanent, unalterable tracking 
cookie that can’t be changed and is unknown to the user. Additional privacy and security 
concerns are increased because contained in the Facebook profile picture URL is the user’s ID 
number for the social network which would then allow a third party to capture the user’s name 
and other publicly shared information like their friend list and “likes” or connections. 
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149. While OpenFeint claims changes were made after the Cortesi study by reportedly 
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ceasing obtaining Facebook picture profile, Defendant OpenFeint is still linking UDIDs to 
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Facebook accounts. 

F. OpenFeint Controls All Facets of its OpenFeint Platform 
1. OpenFeint Platform 

150. Since Defendant OpenFeint launched its mobile gaming platform business, it has 
maintained control of how mobile devices that have its OpenFeint platform work, how 
consumers use them, and what happens when consumers use them—including functions that 
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Defendant OpenFeint controls, hidden from consumers’ sight, although Defendant OpenFeint 
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claims its practices would be transparent and inclusive. 

151. Defendant OpenFeint controls the process for the development software as well— 
such as influencing developers to use Defendant OpenFeint’s software development kit (“SDK”), 
and providing highly detailed guidelines for app development. 

152. Defendant OpenFeint uses the mobile device operating systems, its Platform, and 
the software development process to completely control the user experience by constructing the 
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user’s entire mobile computing environment. 
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153. Behind Defendant OpenFeint’s wall of control, it designs its App platform to be 
readily accessible to Application Developers, Ad networks and Web Analytic Vendors to access 
consumer's personal information. These companies not only provide an important revenue 
source for app developers who provide “free” apps through the Defendant OpenFeint Platform, 
but they also furnish the analytic data that demonstrates Defendant OpenFeint's market 
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leadership which it so often herald in its quarterly investor conference calls. By helping finance 
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third-party apps, these companies gain access to consumers’ mobile devices to collect personal 
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information they use to track and profile consumers, such as consumers' unique device 
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identifiers, geo-location histories, and Facebook profiles -highly personal details about who they 
are, who they know, and where they are. 

154. Since Defendant OpenFeint launched its mobile device business, it has sought to 
completely control the user experience by controlling all facets of the mobile environment. It has 
differentiated itself in the marketplace by advertising that it provides its customers a tightly 
integrated user experience. With this control comes responsibility. 

2. Defendant OpenFeint Controls Activities of Apps Within its Platform 

155. Plaintiffs and Class Members download apps that utilize a Mobile Device 
Operating System Manufacturer’s App Markets to Defendant OpenFeint’s Platform, but 
Defendant OpenFeint owns, controls, and operates its platform and activities of the downloaded 
apps within the OpenFeint Platform. 

156. Numerous apps available from the App Markets are created by third-party 
developers. There are several hundred thousand third-party apps available at the App Markets. 
Some of these are ostensibly free and some are sold for a fee. OpenFeint distributes approved 
free apps through the OpenFeint Platform without charging the developer a fee. Defendant 
OpenFeint also distributes approved apps for which the consumer is charged a price set by the 
developer; Defendant OpenFeint collects the payment price through its revenue collection 
mechanism and retains a percent of the payment as its fee. Third-party apps include applications 
for business use, such as contact management and business expense tracking; personal finance 
use, such as trading; media, such as news outlets; education, such as childbirth education and 
children’s math learning; and entertainment, such as movie reviews and electronic games. 

157. Defendant OpenFeint has control of the Application Developers by “vetting” the 
software applications for the devices, and controlling the OpenFeint Platform. No third party app 
developer is permitted to sell an app on the Defendant OpenFeint platform without entering into 
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OpenFeint’s Developer Agreement, nonetheless Defendant OpenFeint fails to control the 
developers by failing to implement a system to obligate the developers to abide by the terms of 
this agreement. 

158. Defendant OpenFeint represents to every Defendant OpenFeint Platform user, 
through a required click-through agreement, assurances that the Defendant OpenFeint Platform 
will not permit apps that violate their privacy and security. 

159. Defendant OpenFeint has also sought to exercise “indirect” control over what 
apps may use the Defendant OpenFeint platform. No developer is permitted to use the Defendant 
OpenFeint’s platform without entering into OpenFeint’s Developer Agreement. Defendant 
OpenFeint exercises its control of the OpenFeint Platform by implementing illusory contractual 
obligations in lieu of “vetting” the applications claiming to offer only apps that agree to its 
developer agreement; however users rely on Defendant OpenFeint to allow only those and found 
safe and appropriate. 

3. Defendant OpenFeint Controls the Process for Adds Available on its 
Platform 

160. In addition to controlling the characteristics and distribution of apps on its 
platform. Defendant OpenFeint exercises substantial control over its development and 
functionality. 

161. Application Developers must also agree to the terms of Defendant OpenFeint’s 
License Agreement. An app developed using Defendant OpenFeint’s SDK will only function and 
interact within the Defendant OpenFeint platform and its features only in the ways permitted by 
the Defendant OpenFeint Agreement. 
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G. Defendant QpenFeint is Negligent in Failing to Control OpenFeint Adds. 

1- OpenFeint Has Failed To Use Its Control Over Defendant QpenFeint Adds. 
the Marketing of the Adds, the Programming of the Adds, its Platform to Protect User 
Privacy and the Security of User Data on its Platform 

162. Defendant OpenFeint’s control of the user’s experience includes restrictions, such 
as blocking consumers from modifying the Defendant OpenFeint platform. As a direct 
consequence of the control exercised by Defendant OpenFeint, Plaintiffs and the Class Members 
cannot reasonably review the privacy effects of apps and must rely on Defendant OpenFeint to 
fulfill its duty to do so. Defendant OpenFeint represents that it undertakes such a duty, that all 
apps available in its OpenFeint Platform have agreed to Defendant OpenFeint’s mobile policies, 
and that it retains broad discretion to remove an app from the Defendant OpenFeint Platform. 

163. A third party cannot upload an app for sale in the Defendant OpenFeint Platform 
until Defendant OpenFeint enters into a licensing agreement with the App developer; thereby 
giving its approval for sale of the app through the Defendant OpenFeint Platform. Defendant 
OpenFeint represents that an app may not access information from, or about, the user stored on 
the user’s device unless the information is necessary for the advertised functioning of the app. 
Defendant OpenFeint represents that it does not allow one app to access data stored by another 
app. Defendant OpenFeint represents that it does not allow an app to transmit data from a user’s 
mobile device to other parties without the user's consent. Defendant OpenFeint though does not 
review app source code, i.e. it does not review the code written by the developer in a 
programming language to inspect in order to determine if apps acquire users’ personal 
information without the users' knowledge. Thus, Defendant OpenFeint’s policy of not reviewing 
app’s executable files permits apps that subject consumers to privacy exploits and security 
vulnerabilities to be offered in the Defendant OpenFeint Platform. Contrary to Defendant 
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OpenFeint’s representations to consumers, Defendant OpenFeint does not analyze the traffic 
generated by apps to detect apps that violate the privacy terms of the Defendant OpenFeint 
Developer Agreement and Defendant OpenFeint’s commitments to users. 

164. Defendant OpenFeint recommends users install only applications they trust and 
provides assurances to users that their privacy and security shall be protected since suspicious 
apps can be uninstalled at any time, but Defendant OpenFeint fails to address how users can 
make informed decisions about which apps are trustworthy and which are not. However, 
knowing what an app is capable of is different than knowing what it actually does. There is no 
way of knowing what liberties the apps on competing platforms take with users’ personal 
information, since Defendant OpenFeint failed to adequately inform users that their mobile 
device’s UDIDs would be provided to any party. 

165. Defendant OpenFeint provides assurances within its terms of service and privacy 
policy that Plaintiffs and Class Members are not at risk for privacy violations and security risks, 
but fails to provide notice that the origin of mobile tracking by third parties originates with the 
third party’s access to the user’s UDIDs. Defendant OpenFeint’s privacy policy fails to provide 
notice of the involvement of, and user data obtained by, advertising networks and web analytic 
vendors. 

166. Defendant OpenFeint fails to provide notice that mobile applications have access 
to a user’s UDIDs which is passed to Defendant OpenFeint when it uses an application. Because 
the mobile device identifier is static and generally cannot be changed, Defendant OpenFeint 
falsely claims that a user’s privacy is protected by associating your unique device identifier with 
an anonymous ID. In the online space, tracking is achieved through the placement of unique 
identification numbers on users’ machines via the utilization of cookies. Mobile applications, 
however, run outside of the browser environment, hence the necessity to tie data to device IDs 
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instead. Because mobile applications run outside the web browser where Ad Networks and Web 
Analytic Vendors access a user’s web browser “cookies” for tracking; therefore a user can’t 
reliably apply their web browser preferences to block Ads within mobile applications. 

167. Contrary to Defendant OpenFeint’s representations, and without any permission 
from its users, its platform design allows Application Developers to build apps that can easily 
access the following Personally Identifiable Information on a consumer’s mobile device: 

• “International Mobile Subscriber Identity (IMSI), which remains unchanged even 
when a user changes devices and which reveals the user’s country and mobile operator; 

• SIM card serial number (ICCID); and 

• Universally unique device identifier (UUIDs), which OpenFeint refers to as 
unique device identifiers (UDIDs), a number that uniquely identifies the particular Mobile 
Device.” 

168. Nothing in the click-through agreement provided its users reasonable notice of the 
mechanism and manner by which OpenFeint and its apps allow users to be tracked and have their 
personal information shared by use of UDIDs. OpenFeint understands the significance of how 
the unique device identifiers can violate a user’s privacy, since UDID’s information is 
“Personally Identifiable Information” because, if combined with other information, such as other 
information easily available on the mobile device, it can be used to personally identify a user. 
Further, UDIDs are globally unique—no other device bears the same identifying numbers. 

2. Defendant Exploits the Access to Consumer Data by Creating Additional 
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the Defendant, companies that incentivize Application Developers to provide the platform with 
free apps for mobile devices and provide Defendant OpenFeint the metrics to support its claims 
of market leadership. The personal and private information is of extreme interest to the 
Defendant Advertising Networks and Web Analytics companies. For this reason, the parties pay 
to support app development so that many apps are provided to consumers ostensibly “free” or at 
a lower cost. 

170. Defendant OpenFeint’s App Developer Agreement provides assurances to its 
users, including Plaintiffs and Class Members, that it shall provide protection and security for th< 
privacy and legal rights of users. 

171. Defendant OpenFeint provides assurances to Plaintiffs and Class Members that it 
shall provide protection and security for the privacy and legal rights of users and shall not allow 
activity that accesses their data in any unauthorized manner; however the Defendant OpenFeint 
provides no such protection. 

3. Privacy Interests and Consent 

172. Plaintiffs and Class Members in this action consider the information from and 
about themselves on their mobile devices, their mobile device’s UDIDs personal data derived 
from Facebook and/ or Twitter profiles and GPS “Fine” co-ordinates to be personal and private 
information. Therefore, they do not expect their data to be collected, used by third parties, nor 
linked to their mobile device’s UDIDs without their express consent. 

173. Plaintiffs and Class Members did not expect, receive notice of, nor consent to the 
Defendant tracking. Plaintiffs and Class Members did not expect, receive notice of, or consent to 
the Defendant’s acquisition of Plaintiffs' and Class Members’ Personally Identifiable 
Information. 
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174. The Defendant’s activities were in conflict with its privacy policies and/or terms 
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of use. 

175. The Defendant’s actions exceeded the scope of any authorization that was granted 
by Plaintiffs and Class Members at the time of enabling the OpenFeint Platform. 

176. Plaintiffs and Class Members consider information about their mobile 
communications to be in the nature of confidential information, including their “Fine” geo¬ 
location, Facebook and/ or Twitter profiles, and do not expect it to be shared with an unaffiliated 
company. Defendant sells users’ personal information after merging such with commercially 
available personal information obtained from a secondary information market which traffickers 
take substantial efforts to shield from the public. Defendant and other parties to the information 
market use the merger of personal information to effectively or actually de-anonymize 
consumers. 

177. Plaintiffs and Class Members did not consent to being personally identified to the 
Defendant or for their Personally Identifiable Information to be shared with and used on behalf 
of the Defendant. 

178. Defendant’s actions were knowing, surreptitious, and without notice; therefore 
were conducted without authorization and exceeding authorization. 

179. Defendant misappropriated Plaintiffs’ and Class Members’ personal information. 

180. Consumers routinely engage in online economic exchanges with the websites they 
visit by exchanging their personal information for the websites’ content and services, thereby 
reducing the costs consumers would otherwise have to pay. The transactions are value-for-value 
exchanges. This value-for-value exchange takes place particularly when an app is supported by 
advertising revenue, such as revenue the Defendant pays app developers. 
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181. Because Defendant engaged in undisclosed collection of consumers’ data and 
inadequately disclosed such, as alleged herein, those consumers did not receive the full value of 
their exchanges. In essence, Defendant raised the price consumers paid to use the app but instead 
of telling consumers or the website, Defendant simply reached around (or through) the website 
and into consumers’ pockets, extracting their undisclosed premium in the form of consumers’ 
information. 

182. Because Defendant imposed an undisclosed cost on consumers by taking more 
information than they were entitled to take, Defendant’s practices imposed economic costs on 
consumers. 

183. The scarcity of consumer information increases its value. Defendant devalued 
consumers’ information by taking and propagating it. 

184. The undisclosed privacy and information transfer consequences of Defendant’s 
practices imposed costs on consumers in the form of the loss of the opportunity to have entered 
into value-for-value exchanges with other app providers whose business practices better 
conformed to consumers’ expectations. Thus, Defendant's failure to adequately disclose the 
information practices and by using their lack of disclosure as a cover for taking consumers' 
information, Defendant imposed opportunity costs on consumers. 

185. Similarly, Defendant’s lack of disclosure coupled with their taking of information 
imposed costs on consumers who would otherwise have exercised their rights to utilize the 
economic value of their information by declining to exchange it with Defendant or any other app 
provider. 

186. Consumers’ information, an asset of economic value in the ways described above, 
has discemable value as an asset in the information marketplace where consumers may market 
their own information. 
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187. Defendant’s conduct alleged in this complaint constituted an ongoing course of 
conduct that harmed Plaintiffs and Class Members in general, and caused them to incur financial 
losses. 

188. Defendant deprived Plaintiffs and Class Members of and/or diminished the 
economic value of their personal information. 

189. Defendant used Plaintiffs’ and Class Members’ personal information for their 
own economic benefit. 

190. Plaintiffs’ and Class Members’ experiences are typical of the experiences of Class 
Members. 

191. The aggregated loss and damage sustained by the Class, as defined herein, 
includes economic loss with an aggregated value of at least $5,000 during a one-year period. 

192. Defendant perpetrated the acts and omissions set forth in this complaint through 
an organized campaign of deployment, which constituted a single act. 

193. Plaintiffs and Class Members have been harmed by the Defendant's deceptive 
acquisition of their personal information, linkage of their mobile device’s UDIDs, loss of their 
rights to use, share, and maintain the confidentiality of their information, each according to his or 
her own discretion. 

H. “Bandwidth Hog” - Economic Harm 

194. Defendant caused an economic harm to the Plaintiffs and Class Members that is 
actual, non-speculative, sum certain; and scientifically documented incurred by the unauthorized 
use of their mobile device’s bandwidth; in that: 

1. Plaintiffs and Class Members purchased a monthly limited 
bandwidth data plan for their mobile device from their carrier; 

2. Plaintiffs and Class Members then downloaded Defendant 
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OpenFeint’s affiliated applications and Defendant OpenFeint’s 
API’s integration directly to their mobile devices, “expecting” and 
agreeing to limited bandwidth consumption required and necessary 
to interact with the gaming applications and operate the mobile 
device. 

3. However, Defendant OpenFeint and affiliated applications then 
made “calls” directing Plaintiffs’ and Class Members’ mobile 
device to third parties for marketing purposes, thereby depleting 
the purchased and linked bandwidth data plan of the Plaintiffs and 
Class Members, and such was not “expected” by the user, not 
required to interact with the gaming application, not agreed upon 
by the user, and not necessary to operate the mobile device. 

195. Bandwidth is the amount of data that can be transmitted across a channel in a set 
amount of time. Any transmission of information on the internet includes bandwidth. Similar to 
utility companies, such as power or water, the “pipeline” is a substantial capital expenditure, and 
bandwidth usage controls the pricing model. Hosting providers charge users for bandwidth 
because their upstream provider charges them and so forth until it reaches the “back bone 
providers.” Retail providers purchase it from wholesalers to sell to its consumers. 

196. “Unlimited” plans are not unlimited. Major provider plans may refer to its plans 
as unlimited for marketing purposes, but the plans have limitations, usually noted in a footnote oi 
link to another page discussing its limitations as to usage amounts. Providers could not possibly 
allow “unlimited” plans because servers do not have unlimited amounts of space. “Unlimited” 
data plans used to be unlimited until people started to figure out how to “tether,” a method for 
connecting a computer to the internet via an internet-capable mobile phone. The term 
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“unlimited” is now used to define what is considered to be more than a reasonable amount of 
data allotment. 

197. Network providers’ data plans charge consumers based upon such items as usage 
and “caps,” i.e. S30.00 per month for an unlimited plan is standard; but limited plans have caps, 
such as: 256 GB per month. Some national providers charge $1.00 per GB of bandwidth 
exceeding a certain cap. Whether the data plan is marketed as “unlimited” or “limited,” the costs 
for the plans are allocated based upon the bandwidth usage. Thus, as the standard use of 
bandwidth increases, so too does the plan costs. Since plans are based upon user’s average use, 
as consumer’s usage increases collectively, costs increase for all users, while individual 
bandwidth overages can be costly. 

198. According to AT&T’s Web page detailing available data rate plans, users who 

pay $60 for their DataConnect services get a monthly 5GB bandwidth cap and are to pay 

$0.00048 per additional kilobyte of data they consume, or about $500 per every gigabyte over 

the cap. Thus, a user who consumed three times the amount of data allowed by the company’s 

bandwidth cap would be charged about $5,000 extra per month.” 

Brad Reed, “User sues AT&T over $5,000 Web bill” (last accessed April 15, 2011) 
online: http://www.OpenFeint.com/legal/mobileme/en/terms.html 

199. The technology behind the World Wide Web is the Hypertext Transfer Protocol 
(HTTP) and it does not make any distinction as to the types of links, thus all links are 
functionally equal. Resources may be located on any server at any location. When a web site is 
visited, the browser first downloads the textual content in the form of an HTML document. The 
downloaded HTML document may call for other HTML files, images, scripts and/or style sheet 
files to be processed. These files may contain tags which supply the URLs that allow images to 
display on the page. The HTML code generally does not specify a server, meaning that the web 

browser should use the same server as the parent code. It also permits absolute URLs that refer to 
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images hosted on other servers. Once the application has stored the data, it will attempt to send 
information back to Application Developer affiliate’s servers. In most cases this is done every 
time you open and close an application. The data is continually tracked. An Application 
Developer affiliate’s enabled application does not take just one sample, it will record every use 
of the application for the life of that application on your phone and your information is sent 
automatically at a user’s expense. 

200. Ads consume vast amounts of bandwidth which results in slowing a user’s 
internet connection by using their bandwidth and diminishing the mobile devices battery life in 
order to retrieve advertisements. Web Analytics devour more bandwidth than ads by accessing 
bandwidth to download and run ad script, thus Plaintiffs and Class members that did not access 
ads on an application still had the Defendant’s Application Developers and Defendant 
Application Affiliates use their bandwidth: 

“When you’re probing, you're using a users battery and data when they don't know about 

it, but it’s a faster way to build up data cause you’re not waiting for the user to check in a 

few times a day. You're pinging in 100 times a day....” 

Yarow, Jay “Everything You Need to Know About How Phones are Stalking You 
Everywhere” (last accessed June 16, 2011) online: 
http://www.businessinsider.com/skvhook-ceo-201 l-4#ixzzlPTSNQlpq 

201. Advertisers are now using the internet as their primary ad-delivery pipe, 
continually upcoming and downloading data from its networks causing substantial bandwidth 
use. Ads that were hidden in content, or bundled used substantial bandwidth, as did Application 
updates. Web analytics activities delayed movement on a site, users on a site, using their 
bandwidth, to complete its activities. 

202. Application Developers and Application Developers Affiliates used ad content, 
such as streaming video and audio, that required excessive Plaintiffs' and Class Members' 
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bandwidth, due in part, because there was no incentive to reduce the ad size used because it 
could directly pass costs for bandwidth and ad delivery content to Plaintiffs and Class Members, 
without the Plaintiffs and Class Members from having any notice, i.e. Plaintiffs and Class 
Members playing a game application, and at the same time. Application Developers and 
Application Affiliates were silently harvesting personal data and sending it to remote servers 
using Plaintiffs’ and Class Members’ bandwidth. 

203. Defendant’s use of the Plaintiffs’ and Class Members’ bandwidth for its data 
mining activities is similar in nature to a practice called “hot linking;” wherein one (1) server 
uses another server’s bandwidth to send data. While it slows down the server, it also allows 
bandwidth costs to be transferred to another server. Defendant’s data mining activities produces 
similar unauthorized bandwidth use. While only the tech savvy individuals are aware that their 
mobile devices are used as a server without their knowledge or consent, fewer individuals are 
aware of the extent that Application Developers and Application Developer Affiliates make 
“calls” to third parties, and of the amount of user’s bandwidth used when a user merely accesses 
a site: 

* “Let’s look at what the popular twitterfon app does: 

a. App start 

b. Calls videoegg.adbureau.net, reports an Android is being used, 

sends UDID, app name & version. 

c. Calls met.adwhirl.com, sends app ID, Android UDID, county 

d. Calls twitter 

e. Calls pagead2.OpenFeintsyndication.com 

f. Calls beacon.pinchmedia.com, sends UDID, Android firmware, 

app ID & version, crack & jailbreak status, start & stop times 

g. App close” 

I Yobie Benjamin, “iBigBrother? Android privacy issues may interest FCC and FTC” {last 
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integration, including the Facebook traffic (fbcdn), the Twitter image traffic, and the direct 
traffic to OpenFeint’s servers. The traffic to third parties for marketing purposes, such as the 
Application Developer’s re-direction to third party domains is not required, nor authorized by the 
user; moreover the user is never prompted to allow it or notified that it has occurred. 

206. The basic nature of HTTP is a challenge-response protocol. For each request, 
there is necessarily a response. Conventional technical usage would refer to the challenge- 
response pair as a single “call.” 

207. Defendant OpenFeint’s Platform allows for the use of newsletters and updates to 
allow the continuous interaction with the user’s device; however such uses substantial 
bandwidth. Defendant OpenFeint and gaming applications want to have content sent 
continuously from the games to the users since the games are rated by usage and do not 
differentiate between players’ usage as opposed to “push notification content,” and all in an 
effort to move up to top spots on the app lists for most visited applications which increase sales. 
The content push and calls repeat periodically, and use a substantial amount of Plaintiffs* and 
Class Members’ bandwidth. This type of user traffic is usually triggered on use - i.e. traffic 
would be sent every time the app is started up, or whenever some other trigger event occurred 
during use. 

208. Plaintiffs and Class Members that accessed Defendant OpenFeint's applications 
were re-directed to multiple domains, without their knowledge or consent; thus Plaintiffs' and 
Class Members’ bandwidth was used for Defendant OpenFeint’s and OpenFeint affiliated 
applications’ marketing activities. The “Cortesi Study” was updated recently and revealed that 
84% of the apps tested contacted one or more domains during use. At the extreme end, iDestrov . 
a Defendant OpenFeint affiliated application, contacted fourteen (14) domains, including the 
following three (3) different ad networks and Defendant OpenFeint after the user accessed the 
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provision of the opportunity for opting-out was, itself, totally misleading. 

218. Plaintiffs and the Class Members did not voluntarily disclose their personal and 
private information to the Defendant’s tracking, let alone their mobile device habits to Defendant 
- and indeed never even knew that Application Developers Affiliates existed or conducted data 
collection and monitoring activities upon and across its Plaintiffs’ and Class Members’ 
applications. Plaintiffs and the Class Members provided such information, and had specific 
mobile device habits monitored, without their knowledge or consent, and would not have 
consented having their personal and private information, including use of their on-line Facebook 
and/ or Twitter profiles, or “Fine” geo-location used for Defendant’s commercial gain. 

219. Defendant did not obtain consent from Plaintiffs and Class Members for any 
collection or use of any and all data derived in whole or part from use of UDIDs. Plaintiffs and 
Class Members were not allowed to decline consent at the time such statement was presented. 

220. Defendant did not obtain consent from Plaintiffs and Class Members for any 
disclosure of covered information to unaffiliated parties. Plaintiffs and Class Members were not 
allowed to decline consent at the time such statement was presented. 

221. Defendant intentionally accessed data, derived in whole part, from Plaintiffs’ and 
Class Members’ mobile devices without authorization or exceeded authorized access to obtain 
information from a protected mobile device through interstate communications. 

222. Defendant sold, shared, and/or otherwise disclosed covered information of Class 
Members to an unaffiliated party without first obtaining the consent of the Class Members to 
whom the covered information belonged. 

223. At all relevant times, Plaintiffs’ and Class Members’ personal and private 
information was electronically intercepted and/or accessed by and transmitted to Defendant on a 
regular basis, without alerting Plaintiffs and Class Members in any manner. As a result, 
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Defendant was able to and did obtain data derived in whole or part from Plaintiffs' and Class 
Members’ mobile devices and/or intercept their electronic communications without 
authorization. Defendant has obtained, compiled, and used this personal information for its own 
commercial purposes. 

224. Defendant intercepted Plaintiffs’ and Class Members’ electronic communications 
for the purposes of obtaining mobile device data, using UDIDs from Plaintiffs’ and Class 
Members’ mobile devices by repeatedly accessing electronic communications without Plaintiffs ‘ 
and Class Members’ knowledge and consent to profile, secretly track Plaintiffs’ and Class 
Members’ activities on the Internet and collect personal information about consumers; and profit 
from the use of the illegally obtained information, all to Defendant’s benefit and Plaintiffs’ and 
Class Members’ detriment. 

225. Defendant intentionally intercepted, endeavored to intercept, or procured another 
entity to intercept or endeavor to intercept the electronic communication of Plaintiffs and Class 
Members. 

226. Defendant has, either directly or by aiding, abetting and/or conspiring to do so, 
knowingly, recklessly, or negligently disclosed, exploited, misappropriated and/or engaged in 
widespread commercial usage of Plaintiffs’ and the Class Members’ mobile device data, 
obtained private and sensitive information for Defendant’s own benefit from unauthorized use of 
their UDIDs, without Plaintiffs’ or the Class Members’ knowledge, authorization, or consent. 
Such conduct constitutes a highly offensive and dangerous invasion of Plaintiffs' and the Class 
Members’ privacy. 

227. Defendant used and consumed the resources of the Plaintiffs’ and Class 
Members’ mobile devices by gathering user information, adding such information to their mobile 
database, and transferring such to Defendant. 
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228. Defendant caused harm and damages to Plaintiffs’ and Class Members’ mobile 
devices finite resources, depleted and exhausted its memory, thus causing an actual inability to 
use it for its intended purposes. Defendant caused significant unwanted CPU activity, usage, and 
network traffic, resulting in instability issues. 

229. Defendant caused harm and damages to the Plaintiffs and Class Members 
including, but not limited to, consumption of their device’s finite resources, memory depletion, 
and bandwidth, which resulted in the actual inability to use if for its intended purposes. 

230. Defendant’s activity was not evident. Plaintiffs and Class Members assumed that 
the issues related to hardware, Windows installation problems, or viruses, and resorted to 
contacting technical support experts, or even buying a new mobile device because the existing 
system mobile device posed privacy risks. 

231. Defendant harmed Plaintiffs and Class Members by its actions which included, 
but not limited to, the following: 

a) Loss of valuable data by attempts to remove UDIDs and databases once 
discovered; 

b) Incurred economic losses accompanied by an interruption in service; 

c) Functionality of mobile device was interfered with, including an inability 
of applications visited once content was disabled; 

d) Information was deleted, otherwise made unavailable; 

e) Impaired the integrity and availability of data, programs, and information; 

f) Mobile device bandwidth; and 

g) Inability to resell the user's mobile device with UDIDs associated with 
user’s aggregate mobile device data. 

232. Defendant impacted the Plaintiffs’ and Class Members’ ability to sell their mobile 
devices since the mobile device’s UDIDs will have aggregated data linked to such device and 
will continue to provide aggregated cross platform data. The new mobile device owner will then 
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233. Plaintiffs and Class Members were personally injured, as that term is recognized 
within the cyber and technology industry, when Defendant intentionally, or in the alternative, 
negligently, obtained, processed, and disseminated content, obtained without authorization, 
invaded Plaintiffs’ and Class Members’ right of privacy, which portrayed Plaintiffs and Class 
Members in a false light by publicly disclosing private facts through their intrusion into the 
Plaintiffs’ and Class Members’ personal mobile browsing activity. 

234. Defendant’s impact upon the Plaintiffs’ and Class Members’ mobile devices was 
significant resulting in a substantial reduction in available memory, processing power and 
database storage. 

235. Defendant’s interaction with the Plaintiffs’ and Class Members’ mobile device 
was not temporarily, but a permanent use of the mobile devices’ storage resulting in a significant 
loss of use and potentially overwhelming the Plaintiffs’ and Class Members’ databases. 

236. Plaintiffs and Class Members expended money, time, and resources investigating 
and attempting to mitigate their mobile devices diminished performance, in addition to 
investigating and attempting to remove the Defendant’s tracking mechanisms. 

237. Plaintiffs and Class Members conducted a damage assessment once they became 
aware ot Defendant’s practices, made the basis of this action, to attempt to restore any affected 
data, program, system or information. 

238. Defendant’s conduct caused outrage, mental suffering, harm, and humiliation to 
Plaintiffs’ and Class Members’ privacy expectations. 

239. Defendant intentionally disposed of the Plaintiffs’ and Class Members' property 
by using and intermeddling with their mobile devices so as to impair its condition, quality, and 
value, thus preventing the Plaintiffs and Class Members from using their mobile devices for a 
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substantial time. 

240. Defendant’s Unique Device Identifier remains identified with the Plaintiffs’ and 
Class Members’ devices, thus the value of the device has been diminished, or now has no value 
for resale. 

241. Defendant’s activities occurred throughout the United States. Defendant secretly 
obtained personal and private information from Plaintiffs and the Class Members - a course of 
action and a body of information that is protected from interception, access, and disclosure by 
federal law. 

242. Defendant used, interfered with, and intermeddled with Class Members’ 
ownership of their personal property, namely, their mobile devices, by directly or indirectly: 
secretly obtaining Plaintiffs’ and Class Members’ data derived from their UDIDs; secretly 
accessing their mobile devices to obtain information contained in and enabled by the Unique 
Device Identifier; and secretly collecting personal data and information regarding each Plaintiffs’ 
and Class Members’ Internet surfing habits contained in electronic storage on his/her mobile 
device. 

243. Defendant failed to disclose that UDIDs are used to track and store information 
regarding consumers’ Internet use and other forms of advertisements on consumers’ mobile 
devices based on such use. The installation of such tracking device would be material to 
consumers in their decision whether to install the software offered by Defendant. 

244. Defendant’s technology wrongfully monitored Internet users’ activities at each 
and every affiliated application visited. The wrongfiilness of this conduct is multiplied by the 
fact that Defendant aggregates this information about users’ habits across numerous applications 
and unjustly enriched Defendant to the severe detriment of Plaintiffs and the Class Members. 
Plaintiffs and the Class Members have been harmed, as they have been subjected to repeated andj 
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unauthorized invasions of their privacy - violations which continue to this day. 

245. Without remedy. Plaintiffs and Class Members will continue to be tracked by 
dozens of companies — companies they’ve never heard of, companies they have no relationship 
with, companies they would never choose to trust with their most private thoughts and reading 
habits. 

246. Defendant’s privacy documents, which include, but are not limited to, its privacy 
policy and terms of use, intentionally, or in the alternative, negligently, omit notice of any and all 
of its activities made the basis of this action. Such omissions relate in whole or part, to 
Defendant’s intentional, or in the alternative, negligent, omission within its privacy documents to 
any and all activities related to the basis of this action and notice of its activities with each 
Affiliate. 

247. Defendant’s privacy documents fail to provide adequate notice that third parties, 
made the basis of this action, would be allowed access to personal behavioral data of their users, 
including but not limited to, such data embedded with their applications, which in turn shares the 
data with its marketing partners or corporate affiliates and subsidiaries. Therefore, user behavior 
will be profiled by any other entities with whom those sites may choose to share this 
information. While Defendant’s privacy documents state they do not share data with third 
parties, they do share data with affiliates, suggesting that they only share data with companies 
under the same corporate ownership. 

248. Defendant's privacy documents referenced the use of analytics, but state such is 
used only for audience measurement and not behavioral ad-targeting. 

249. Defendant’s privacy documents do not expressly state that if a user does not 
enable Defendant's platform to be downloaded that behavioral information will not be collected 
pertaining to the user. 
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250. Defendant’s privacy documents falsely imply some level of protection for the 
user. Defendant’s privacy documents are sufficiently vague so as to refrain from fully disclosing 
information to their users about the information collected through their applications, their 
associated entities, how the information is used, and the purposes for the collection and use of 
this information. Thus, negating the possibility for their users to provide informed and 
meaningful consent to these practices. Without adequate notice and informed and meaningful 
user consent, users had no control over their personal information. The potential privacy dangers 
were not readily apparent to most users. 

251. Defendant’s privacy documents require college-level reading skills for 
comprehension and include substantial legalese, ambiguous and obfuscated language designed to 
confuse, disenfranchise, and mislead the users. 

252. Defendant’s privacy documents incorporate a multitude of hedging and modality 
markers so as to minimize their use of covert surveillance technology and data-gathering tools. 
Defendant sends mixed messages related to privacy controls by advising users that choosing to 
exercise such controls would cause in whole, or part, diminished functionality of their 
applications. 

253. Defendant’s privacy documents describe “associations,” misleading the users to 
interpret them to be associated corporate subsidiaries while withholding accurate information 
that such includes other entities than advertising networks, such as: advertising networks, data 
exchanges, traffic measurement service providers, marketing and analytic service providers. 

254. Defendant’s applications and its tracking services are owned by parent companies 
that have many subsidiaries. Defendant fails to provide adequate information about third-party 
information sharing, different than affiliate sharing, which is subject to more restrictions, 
including opt-in or opt-out consent requirements. These restrictions are based upon the 
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policy. Choice, therefore, could not be inferred. 

259. Defendant’s privacy documents carefully attempt to parse the definitions of 
phrases related to their tracking activity. Their privacy documents are more nuanced than such 
categorized analysis allows for by means of embedding any and all purposes for its use of: 
surveillance technology into the user’s mobile device hardware; user’s mobile device hardware 
to store data; technology to allow the perpetual mobile device tracking and surveillance of any 
and all mobile device Internet activity of the Defendant OpenFeint users. It is evidenced by the 
attempt of Defendant OpenFeint to hide its covert activity by referring to their use of “other 
technologies,” or “similar technologies,” and omitting information that UDIDs would be used to 
track users, and its perpetual existence on a user’s mobile device. 

260. Defendant’s privacy documents fail to provide notice that their data storage 
practices as they relate to the period for which user data is stored, have no term period, and are 
indefinite. 

261. Defendant’s privacy documents’ verbiage was deceptive by design. This 
deception is especially troubling when compared with the obligation imposed upon their mobile 
device visitors to download, read, and comprehend the vast amount of documents required to 
protect one’s mobile device privacy, complicated by the cumulative effect of such task. 

262. In addition to downloading, reading and comprehending all of Defendant 
OpenFeint’s and Application Developers privacy documents, although most did not provide 
such, its users would be required to locate and attempt to do the same for Application Developers 
Affiliates. To accentuate the improbability of completing this task, Plaintiffs and Class Members 
were not provided information of the identity of Application Developer’s Affiliates, nor its 
association with Defendant OpenFeint. 

263. Application Developer Affiliates' privacy documents reveal omissions related in 
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whole or part, intentionally, or in the alternative negligently, to any and all activities related to 
the basis of this action and notice of its activities with Application Developers. 

264. Defendant’s mobile device privacy protection was premised upon imposed 
requirement to download, read, and comprehend the accumulation of all privacy documents of 
all involved entities. 

265. A millisecond was the time allotted to the Plaintiffs and Class Members download 
of a Defendant OpenFeint Market affiliated application, before Defendant OpenFeint, 

Application Developers and Application Developer Affiliates intentionally, and without user’s 
authorization and consent, had Defendant OpenFeint transmit, and/or allowed access to, data 
related to whole or part, from the Plaintiffs’ and Class Members’ mobile devices' UDIDs. Such 
occurred without the benefit of being advised of the association between Defendant OpenFeint, 
Application Developer and its Application Developer Affiliate, or provided adequate time to 
access, read, and comprehend the Terms of Service/Use and Privacy Policy for all parties which 
had privacy policies. While only the most technical savvy mobile device users were familiar with 
UDIDs, a finite amount of individuals even knew about “UDIDs,” let alone could possibly 
comprehend the technical aspects inherent within the Defendant’s privacy documents. 

266. The collection, use and disclosure of tracking data, such as obtaining a users' 
UDIDs by Defendant to provide its services, implicates Plaintiffs’ and Class Members’ privacy 
and physical safety. Such information is afforded special attention due to the consequences for 
both privacy and physical safety that may flow from its disclosure. The heightened privacy and 
physical safety concerns generated by the collection, use and disclosure of location information 
are apparent in U.S. law that creates restrictive consent standards for its use and disclosure in the 
private sector in the context of telecommunications services. 

267. Defendant OpenFeint’s platform to aggregate user data, in association with its 
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user’s UDIDs has the potential to transform the World Wide Web from a largely anonymous 
environment into one where individuals are expected, or even required, to identify themselves in 
order to participate in online activities, communicate, and make purchases. This occurrence 
would represent a grave erosion of consumer’s online privacy. Many of the activities in which 
individuals engage on the Web do not require the collection of identifiers or personal information 
of any type. Free applications involve a user not paying for a product, but paying with their 
personal information, which becomes the actual product. 

268. The tracking and monitoring of mobile device usage will have a negative effect 
on individuals' access to information. The anonymity that the Internet affords individuals has 
made it an incredible resource for those seeking out information. Particularly where the 
information sought is on controversial topics such as sex, sexuality, or health issues such as HIV, 
depression, and abortion; the ability to access information without risking identification has been 
critical. It will result in increased pressure on individuals to permit the collection of the UDIDs, 
and other information that can be tied to it, as a quid pro quo of engaging in transactions and 
interactions online, thereby placing a burden on individuals who choose to protect their privacy. 

269. Because of Defendant OpenFeinf s market dominance, UDIDs have the potential 
to become the unique identifier for nearly everyone on the Internet - fundamentally changing the 
mobile internet experience from one where consumers can browse and seek out information 
anonymously, to one where an individual’s every move is recorded. Our society's experience 
with unique identifiers suggests that accessing UDIDs from mobile devices to link Personally 
Identifiable Information with shall erode individual privacy. The history of the Social Security 
Number reveals the unrelenting pressures to expand the use of an identifier once it is created - 
even where its use is initially curtailed by federal policy. Once a unique device identifier is 
capable of identifying and tracking individuals in the online environment is created, it will be far 
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more difficult to limit its use. The Social Security Number (SSN) offers a compelling example of 
how a unique identifier can undermine individual privacy and become a de facto national 
identifier. The UDID has the potential though to further the surreptitious collection and use of 
data without an individual’s consent. Unlike a real world identifier, such as the Social Security 
Number, the UDID, a virtual identifier, is capable of being collected and used without the 
individual’s knowledge and consent causing privacy and security violations. 

CLASS ALLEGATIONS 
Allegations as to Class Certification 

270. Pursuant to Federal Rule of Civil Procedure 23(a), (b)(1), (b)(2), and (b)(3). 
Plaintiffs bring this action as a Class action, on behalf of themselves and all others similarly 
situated as members of the following Classes (collectively, the “Class”): 

a) U.S. Resident Class: All persons residing in the United States that 
downloaded and enabled a mobile application affiliated with OpenFeint, from 
February 17, 2009 to the date of the filing of this complaint. 

b) Injunctive Class: All persons after the date of the filing of this complaint, 
residing in the United States that downloaded and enabled a mobile 
application affiliated with OpenFeint after the date of the filing of this 
complaint. 

271. The Class action period, (the “Class Period”), pertains to the dates, February 17, 
2009 to the date of Class certification. 

272. Plaintiffs reserve the right to revise the definitions of the Classes based on facts 
learned in the course of litigation of this matter. 

273. On behalf of the U.S. Resident Class, Plaintiffs seek equitable relief, damages and 
injunctive relief pursuant to: 

a) Computer Fraud and Abuse Act, 18 U.S.C. § 1030; 

b) Electronic Communications Privacy Act, 18 U.S.C. § 2510; 

c) California’s Computer Crime Law, Penal Code § 502; 
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d) California’s Invasion of Privacy Act, Penal Code § 630; 

e) Consumer Legal Remedies Act, (“CLRA”) California Civil Code § 1750; 

f) Unfair Competition, California Business and Professions Code § 17200; 

g) Breach of Contract; 

h) Breach of Implied Covenant of Good Faith and Fair Dealing; 

i) Conversion; 

j) Negligence; and 

k) Trespass to Personal Property / Chattels 

274. On behalf of the Injunctive Class, Plaintiffs seek only injunctive relief. 

275. Persons Excluded From Classes: Subject to additional information obtained 
through further investigation and discovery, the foregoing definition of the Class may be 
expanded or narrowed by amendment or amended complaint. Specifically excluded from the 
proposed Class are Defendant, their officers, directors, agents, trustees, parents, children, 
corporations, trusts, representatives, employees, principals, servants, partners, joint ventures, or 
entities controlled by Defendant, and their heirs, successors, assigns, or other persons or entities 
related to or affiliated with Defendant and/or their officers and/or directors, or any of them; the 
Judge assigned to this action, and any member of the Judge’s immediate family. 

276. Numerositv : The members of the Class are so numerous that their individual 
joinder is impracticable. Plaintiffs are informed and believe, and on that basis allege, that the 
proposed Class contains tens of thousands of members. The precise number of Class Members is 
unknown to Plaintiffs. The true number of Class Members is known by Defendant, however and, 
thus. Class Members may be notified of the pendency of this action by first Class mail, electronic 
mail, and by published notice. Upon information and belief, Class Members can be identified by 
the electronic records of Defendant. 

277. Class Commonality : Pursuant to Federal Rules of Civil Procedure, Rule 23(a)(2) 
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1 




and Rule 23(b)(3), are satisfied because there are questions of law and fact common to Plaintiffs 


2 


and the Class, which common questions predominate over any individual questions affecting 


3 


only individual members, the common questions of law and factual questions include, but are noti 


4 


limited to: 


5 

6 
7 


a) What was the extent of Defendant’s business practice of transmitting, 

accessing, collecting, monitoring, and remotely storing users’ Unique Device 
Identifiers (“UDIDs”) obtaining a user’s Personally Identifiable Information, 
and linking the aggregated data with the user’s UDIDs and how did it work? 


b) What information did Defendant’s collect from its business practices of 
transmitting, accessing, collecting, monitoring, and remotely storing users’ 
Unique Device Identifiers (“UDIDs”), and what did it do with that 
information? 


11 c ) Whether users, by virtue of their downloading the application, had pre¬ 

consented to the operation of Defendant’s business practices of transmitting, 

12 accessing, collecting, monitoring, and remotely storing users’ Unique Device 
Identifiers (“UDIDs”); 


14 

15 

16 

17 

18 


d) Was there adequate notice, or any notice, of the operation of Defendant’s 
business practices of transmitting, accessing, collecting, monitoring, and 
remotely storing users' Unique Device Identifiers (“UDIDs”) provided to 
Plaintiffs and Class Members? 

e) Was there reasonable opportunity to decline the operation of Defendant's 
business practices of transmitting, accessing, collecting, monitoring, and 
remotely storing users' Unique Device Identifiers (“UDIDs”) provided to 
Plaintiffs and Class Members? 


19 

20 
21 


f) Did Defendant's business practices of obtaining, collecting, monitoring, and 
remotely storing users' Unique Device Identifiers (“UDIDs”) disclose, 
intercept, and transmit Personally Identifying Information, or Sensitive 
Identifying Information, or Personal Information? 


22 

23 

24 

25 

26 

27 

28 


g) Whether Defendant devised and deployed a scheme or artifice to defraud or 
conceal from Plaintiffs and the Class Members Defendant’s ability to, and 
practice of, intercepting, accessing, and manipulating, for its own benefit. 
Personal Information, and tracking data from Plaintiffs’ and the Class 
Members’ personal mobile device via the ability to track their mobile device 
by tracking its UDID on their mobile device; 

h) Whether Defendant engaged in deceptive acts and practices in, connection 
with its undisclosed and systemic practice of transmitting, accessing and/or 
disclosing unique identifiers, tracking data, and Personal Information on 
Plaintiffs’ and the Class Members' personal mobile device and using that data 
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to track and profile Plaintiffs’ and the Class Members’ Internet activities and 
personal habits, proclivities, tendencies, and preferences for Defendant’s use 
and benefit; 

i) Did the implementation of Defendant’s business practices of transmitting, 
accessing, collecting, monitoring, and remotely storing users’ Unique Device 
Identifiers (“UDIDs”) violate the Computer Fraud and Abuse Act, 18 U.S.C. 
§§ 1030? 

j) Did the implementation of Defendant’s business practices of transmitting, 
accessing, collecting, monitoring, remotely storing users’ Unique Device 
Identifiers (“UDIDs”) violate the Electronic Communications Privacy Act, 18 
U.S.C. §2510? 

k) Did the implementation of Defendant’s business practices of transmitting, 
accessing, collecting, monitoring, remotely storing users’ Unique Device 
Identifiers (“UDIDs”) violate the Violations of California’s Computer Crime 
Law, Penal Code § 502? 

l) Did the implementation of Defendant’s business practices of transmitting, 
accessing, collecting, monitoring, remotely storing users' Unique Device 
Identifiers (“UDIDs”) violate the Violations of the California Invasion of 
Privacy Act, Penal Code § 630? 

m) Did the implementation of Defendant’s business practices of transmitting, 
accessing, collecting, monitoring, remotely storing users’ Unique Device 
Identifiers (“UDIDs”) violate the Violations of the Consumer Legal Remedies 
Act, (“CLRA”) California Civil Code § 1750? 

n) Did the implementation of Defendant’s business practices of transmitting, 
accessing, collecting, monitoring, remotely storing users' Unique Device 
Identifiers (“UDIDs”) violate the Violation of Unfair Competition, California 
Business and Professions Code § 17200? 

o) Did the implementation of Defendant’s business practices of transmitting, 
accessing, collecting, monitoring, remotely storing users' Unique Device 
Identifiers (“UDIDs”) involve a Breach of Contract? 

p) Did the implementation of Defendant’s business practices of transmitting, 
accessing, collecting, monitoring, remotely storing users' Unique Device 
Identifiers (“UDIDs”) involve a Breach of Implied Covenant of Good Faith 
and Fair Dealing? 

q) Did the implementation of Defendant’s business practices of transmitting, 
accessing, collecting, monitoring, remotely storing users' Unique Device 
Identifiers (“UDIDs”) involve a Conversion? 

r) Did the implementation of Defendant’s business practices of transmitting, 
accessing, collecting, monitoring, remotely storing users' Unique Device 
Identifiers (“UDIDs”) involve a Negligence. 
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s) Did the implementation of Defendant’s business practices of transmitting, 
accessing, collecting, monitoring, remotely storing users’ Unique Device 
Identifiers (“UDIDs”) involve a Trespass to Personal Property / Chattels? 

t) Is the Defendant liable under a theory of aiding and abetting one (1) more of 
the involved entities for violations of the statutes listed herein? 

u) Is the Defendant liable under a theory of civil conspiracy for violations of the 
statutes listed herein? 

v) Is the Defendant liable under a theory of unjust enrichment for violations of 
the statutes listed herein? 

w) Whether Defendant participated in and/or committed or is responsible for 
violation of law(s) complained of herein? 

x) Are Class Members entitled to damages as a result of the implementation of 
Defendant’s marketing scheme, and, if so, what is the measure of those 
damages? 

y) Whether Plaintiffs and members of the Class have sustained damages as a 
result of Defendant’s conduct, and, if so, what is the appropriate measure of 
damages? 

z) Whether Plaintiffs and members of the Class are entitled to declaratory and/or 
injunctive relief to enjoin the unlawful conduct alleged herein; and 

aa) Whether Plaintiffs and members of the Class are entitled to punitive damages, 
and, if so, in what amount? 

278. Typicality: Plaintiffs’ claims are typical of the claims of all of the other members 
of the Class, because his claims are based on the same legal and remedial theories as the claims 
of the Class and arise from the same course of conduct by Defendant. 

279 - Adequacy of Representation: Plaintiffs will fairly and adequately protect the 
interests of the members of the Class. Plaintiffs have retained counsel highly experienced in 
complex consumer Class action litigation, and Plaintiffs intend to prosecute this action 
vigorously. Plaintiffs have no adverse or antagonistic interests to those of the Class. 

280. Superiority: A Class action is superior to all other available means for the fair 
and efficient adjudication of this controversy. The damages or other financial detriment suffered 

by individual Class Members is relatively small compared to the burden and expense that would 

OpenFeint Class Action Complaint 


85 






1 


2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 

26 

27 

28 


be entailed by individual litigation of their claims against the Defendant. It would thus be 
virtually impossible for the Class, on an individual basis, to obtain effective redress for the 
wrongs done to them. Furthermore, even if Class Members could afford such individualized 
litigation, the court system could not. Individualized litigation would create the danger of 
inconsistent or contradictory judgments arising from the same set of facts. Individualized 
litigation would also increase the delay and expense to all parties and the court system from the 
issues raised by this action. By contrast, the Class action device provides the benefits of 
adjudication of these issues in a single proceeding, economies of scale, and comprehensive 
supervision by a single court, and presents no unusual management difficulties under the 
circumstances here. 

281. In the alternative, the Class may be also certified because: 

a) the prosecution of separate actions by individual Class Members would create 
a risk of inconsistent or varying adjudication with respect to individual Class 
Members that would establish incompatible standards of conduct for the 
Defendant; 

b) the prosecution of separate actions by individual Class Members would create 
a risk of adjudications with respect to them that would, as a practical matter, 
be dispositive of the interests of other Class Members not parties to the 
adjudications, or substantially impair or impede their ability to protect their 
interests; and/or 

c) Defendant have acted or refused to act on grounds generally applicable to the 
Class thereby making appropriate final declaratory and/or injunctive relief 
with respect to the members of the Class as a whole. 

282. The claims asserted herein are applicable to all persons throughout the United 
States that meet the class definition and class period. 

283. The claims asserted herein are based on Federal law and California law, which is 
applicable to all Class Members throughout the United States. 

284. Adequate notice can be given to Class Members directly using information 
maintained in Defendant's records or through notice by publication. 
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285. Damages may be calculated from the information maintained in Defendant’s 
records, so that the cost of administering a recovery for the Class can be minimized. The amount 
of damages is known with precision from Defendant’s records. 

First Cause of Action 

Violation of the Computer Fraud and Abuse Act 
18 U.S.C. § 1030 etseq. 

Against Defendant OpenFeint 

286. Plaintiffs incorporate by reference all paragraphs previously alleged herein. 

287. Plaintiffs assert this claim against Defendant on behalf of themselves and the 

Class. 

288. The Computer Fraud and Abuse Act, 18 U.S.C. § 1030, referred to as “CFAA,” 
regulates fraud and relates activity in connection with computers, and makes it unlawful to 
intentionally access a computer used for interstate commerce or communication, without 
authorization or by exceeding authorized access to such a computer, thereby obtaining 
information from such a protected computer, within the meaning of U.S.C. § 1030(a)(2)(C). 

289. Defendant violated 18 U.S.C. § 1030 by intentionally accessing Plaintiffs’ and 
Class Members’ mobile computing device, without authorization by exceeding access, thereby 
obtaining information from such a protected device, causing the transmission to users’ mobile 
devices, either by native installation or upgrade, of code that caused users’ mobile devices to 
maintain, synchronize, and retain detailed, unencrypted location history files. 

290. At all relevant times, Defendant engaged in business practices of transmitting 
code from within the Plaintiffs’ and Class Members’ downloaded applications so as to access 
their mobile devices to obtain a UDID and mobile device data. Such acts were conducted without 
authorization and consent of the Plaintiffs and Class Members. 

291. The Computer Fraud and Abuse Act, 18 U.S.C. § 1030(g), provides a civil cause 

of action to “any person who suffers damage or loss by reason of a violation” of CFAA. 
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292. The Computer Fraud and Abuse Act, 18 U.S.C. § I030(a)(5)(A)(i), makes it 
unlawful to “knowingly cause[s] the transmission of a program, information, code, or command 
and as a result of such conduct, intentionally causejs] damage without authorization, to a 
protected computer,” of a loss to one or more persons during any one-year period aggregating at 
least $5,000 in value. 

293. Plaintiffs’ and Class Members’ computers are a “protected computer...which is 
used in interstate commerce and/or communication” within the meaning of 18 U.S.C. § 
1030(e)(2)(B). 

294. Defendant violated 18 U.S.C. § 1030(a)(2)(C) by intentionally accessing a 
Plaintiffs and Class Members mobile computing device, without authorization or by exceeding 
access, thereby obtaining information from such a protected mobile computing device. 

295. Defendant violated 18 U.S.C. § 1030(a)(5)(A)(i) by knowingly causing the 
transmission of a command embedded within their webpage’s, downloaded to Plaintiffs’ and 
Class Members' mobile computing device, which are protected mobile computing devices as 
defined in 18 U.S.C. § 1030(e)(2)(B). By accessing, collecting, and transmitting Plaintiffs’ and 
Class Members viewing habits, Defendant intentionally caused damage without authorization to 
those Plaintiffs and Class Members’ mobile computing devices by impairing the integrity of the 
computer. 

296. Defendant violated 18 U.S.C. § 1030(a)(5)(A)(ii) by intentionally accessing 
Plaintiffs and Class Members protected mobile computing devices without authorization, and 
as a result of such conduct, recklessly caused damage to Plaintiffs’ and Class Members’ mobile 
computing devices by impairing the integrity of data and/or system and/or information. 

297. Defendant violated 18 U.S.C. § 1030(a)(5)(A)(iii) by intentionally accessing 
Plaintiffs and Class Members' protected mobile computing devices without authorization, and 
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as a result of such conduct, caused damage and loss to Plaintiffs and Class Members. 

298. Plaintiffs and Class Members have suffered damage by reason of these violations, 
as defined in 18 U.S.C. § 1030(e)(8), by the “impairment to the integrity or availability of data, a 
program, a system or information.” 

299. Plaintiffs and Class Members have suffered loss by reason of these violations, as 
defined in 18 U.S.C. § 1030(e)(l 1), by the “reasonable cost... including the cost of responding to 
an offense, conducting a damage assessment, and restoring the data, program, system, or 
information to its condition prior to the offense, and any revenue lost, cost incurred, or other 
consequential damages incurred because of interruption of service.” 

300. Plaintiffs and Class Members have suffered loss by reason of these violations, 
including, without limitation, violation of the right of privacy, disclosure of Personal Identifiable 
Information, Sensitive Identifying Information, and Personal Information, interception, and 
transactional information that otherwise is private, confidential, and not of public record. 

301. Defendant OpenFeint is liable for the violations of the Computer Fraud and Abuse 
Act alleged herein. 

302. As a result of these takings, Defendant 7 s conduct has caused a loss to one or more 
persons during any one-year period aggregating at least $5,000 in value in real economic 
damages. 

303. Plaintiffs and Class Members have additionally suffered loss by reason of these 
violations, including, without limitation, violation of the right of privacy. 

304. Defendant s unlawful access to Plaintiffs’ and Class Members’ computers and 
electronic communications has caused Plaintiffs and Class Members irreparable injury. Unless 
restrained and enjoined. Defendant will continue to commit such acts. Plaintiffs' and Class 
Members remedy at law is not adequate to compensate it for these inflicted and threatened 
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injuries, entitling Plaintiffs and Class Members to remedies including injunctive relief as 
provided by 18 U.S.C. § 1030(g). 

Second Cause of Action 

Violations of the Electronic Communications Privacy Act 
18 U.S.C. § 2510 
Against Defendant OpenFeint 

305. Plaintiffs incorporate by reference all paragraphs previously alleged herein. 

306. Plaintiffs assert this claim against Defendant on behalf of themselves and the 

Class. 

307. The Electronic Communications Privacy Act of 1986, 18 U.S.C. § 2510, referred 

to as “ECPA,” regulates wire and electronic communications interception and interception of 

oral communications, and makes it unlawful for a person to “willfully intercept, endeavor to 
! . 

intercept, or procure any other person to intercept or endeavor to intercept, any wire, oral, or 
electronic communication,” within the meaning of 18 U.S.C. § 2511(1). 

308. Defendant violated 18 U.S.C. § 2511 by intentionally acquiring and/or 
intercepting, by device or otherwise. Plaintiffs' and Class Members’ electronic communications, 
without knowledge, consent, or authorization. 

309. At all relevant times, Defendant engaged in business practices of intercepting the 
Plaintiffs’ and Class Members’ electronic communications which included endeavoring to 
intercept the transmission of a UDID from within their mobile device. Once the Defendant 
obtained the UDID they used such to aggregate mobile device data of the Plaintiffs and Class 
Members as they used their mobile device, browsed the Internet, and activated downloaded 
applications. 

310. The contents of data transmissions from and to Plaintiffs’ and Class Members' 
personal computers constitute “electronic communications” within the meaning of 18 U.S.C. 
§2510. 
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311. Plaintiffs and Class Members are “person[s] whose ... electronic communication 
is intercepted ... or intentionally used in violation of this chapter” within the meaning of 18 
U.S.C. § 2520. 

312. Defendant violated 18 U.S.C. § 2511(1 )(a) by intentionally intercepting, 
endeavoring to intercept, or procuring any other person to intercept or endeavor to intercept 
Plaintiffs' and Class Members’ electronic communications. 

313. Defendant violated 18 U.S.C. § 251 l(l)(c) by intentionally disclosing, or 
endeavoring to disclose, to any other person the contents of Plaintiffs’ and Class Members’ 
electronic communications, knowing or having reason to know that the information was obtained 
through the interception of Plaintiffs and Class Members’ electronic communications. 

314. Defendant violated 18 U.S.C. § 2511(1 )(d) by intentionally using, or endeavoring 
to use, the contents of Plaintiffs’ and Class Members’ electronic communications, knowing or 
having reason to know that the information was obtained through the interception of Plaintiffs’ 
and Class Members’ electronic communications. 

315. Defendant’s intentional interception of these electronic communications without 
Plaintiffs’ or Class Members’ knowledge, consent, or authorization was undertaken without a 
facially valid court order or certification. 

316. Defendant intentionally used such electronic communications, with knowledge, or 
having reason to know, that the electronic communications were obtained through interception, 
for an unlawful purpose. 

317. Defendant unlawfully accessed and used, and voluntarily disclosed, the contents 
of the intercepted communications to enhance their profitability and revenue through advertising. 
This disclosure was not necessary for the operation of Defendant's system or to protect 
Defendant’s rights or property. 
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318. The Electronic Communications Privacy Act of 1986, 18 USC §2520(a) provides 
a civil cause of action to “any person whose wire, oral, or electronic communication is 
intercepted, disclosed, or intentionally used” in violation of the ECPA. 

319. Defendant is liable directly and/or vicariously for this cause of action. Plaintiffs 
therefore seek remedy as provided for by 18 U.S.C. §2520, including such preliminary and other 
equitable or declaratory relief as may be appropriate, damages consistent with subsection (c) of 
that section to be proven at trial, punitive damages to be proven at trial, and a reasonable 
attorney’s fee and other litigation costs reasonably incurred. 

320. Plaintiffs and Class Members have additionally suffered loss by reason of these 
violations, including, without limitation, violation of the right of privacy. 

321. Plaintiffs and the Class, pursuant to 18 U.S.C. §2520, are entitled to preliminary, 
equitable, and declaratory relief, in addition to statutory damages of the greater of $10,000 or 

$ 100 a day tor each day of violation, actual and punitive damages, reasonable attorneys’ fees, 
and Defendant’s profits obtained from the above-described violations. Unless restrained and 
enjoined. Defendant will continue to commit such acts. Plaintiffs’ and Class Members’ remedy 
at law is not adequate to compensate it for these inflicted and threatened injuries, entitling 
Plaintiffs and Class Members to remedies including injunctive relief as provided by 18 U.S.C. § 
2510. 

Third Cause of Action 

Violation of California’s Computer Crime Law 
Penal Code § 502 et seq. 

Against Defendant OpenFeint 

322. Plaintiffs incorporate the above allegations by reference as if set forth herein at 

length. 
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Members into surrendering private electronic communications and activities for Defendant’ 
financial gain, and to wrongfully obtain valuable private data from Plaintiffs. 

329. Defendant violated California Penal Code § 502(c)(2) by knowingly accessing 
and without permission, taking, or making use of data from Plaintiffs’ and Class Members’ 
mobile devices. 

330. Defendant violated California Penal Code § 502(c)(3) by knowingly and without 
permission, using and causing to be used Plaintiffs’ and Class Members’ mobile computing 
devices’ services. 

331. Defendant violated California Penal Code section 502(c)(3) by knowingly and 
without permission using and causing to be used Plaintiffs’ and Class Members’ computer 
services. 

332. Defendant violated California Penal Code section 502(c)(4) by knowingly 
accessing and, without permission, adding and/or altering the data from Plaintiffs’ and Class 
Members computers, that is, application code installed on such computers. 

333. Defendant violated California Penal Code section 502(c)(5) by knowingly and 
without permission disrupting or causing the disruption of Plaintiffs’ and Class Members’ 
computer services or denying or causing the denial of computer services to Plaintiffs and the 
Class. 

334. Defendant violated California Penal Code § 502(c)(6) by knowingly and without 
permission providing, or assisting in providing, a means of accessing Plaintiffs’ computers, 
computer system, and/or computer network. 

335. Defendant violated California Penal Code § 502(c)(7) by knowingly and without 
permission accessing, or causing to be accessed, Plaintiffs’ computer, computer system, and/or 
computer network. 
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336. California Penal Code § 502(j) states: “For purposes of bringing a civil or a 
criminal action under this section, a person who causes, by any means, the access of a computer, 
computer system, or computer network in one jurisdiction from another jurisdiction is deemed to 
have personally accessed the computer, computer system, or computer network in each 
jurisdiction.” 

337. Plaintiffs have also suffered irreparable injury from these unauthorized acts of 
disclosure, to wit: their personal, private, and sensitive electronic data was obtained and used by 
Defendant. Due to the continuing threat of such injury, Plaintiffs have no adequate remedy at 
law, entitling Plaintiffs to injunctive relief. 

338. Plaintiffs and Class Members have additionally suffered loss by reason of these 
violations, including, without limitation, violation of the right of privacy. 

339. As a direct and proximate result of Defendant’s unlawiul conduct within the 
meaning of California Penal Code § 502, Defendant caused loss to Plaintiffs in an amount to be 
proven at trial. Plaintiffs are also entitled to recover their reasonable attorneys* fees pursuant to 
California Penal Code § 502(e). 

340. Plaintiffs and the Class Members seek compensatory damages, in an amount to be 
proven at trial, and injunctive or other equitable relief. 

Fourth Cause of Action 

Violation of the California Invasion of Privacy Act 
Penal Code § 630 et seq. 

Against Defendant OpenFeint 

341. Plaintiffs incorporate the above allegations by reference as if set forth herein at 

length. 

342. Plaintiffs assert this claim against Defendant on behalf of themselves and the 

Class. 

343. California Penal Code section 630 provides, in part: 
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“Any person who,... or who willfully and without the consent of all 
parties to the communication, or in any unauthorized manner, reads, or 
attempts to read, or to learn the contents or meaning of any message, 
report, or communication while the same is in transit or passing over any 
wire, line, or cable, or is being sent from, or received at any place within 
this state; or who uses, or attempts to use, in any manner, or for any 
purpose, or to communicate in any way, any information so obtained, or 
who aids, agrees with, employs, or conspires with any person or persons to 
unlawfully do, or permit, or cause to be done any of the acts or things 
mentioned above in this section, is punishable .. 

344. At all relevant times, Defendant’s business practices of accessing the mobile 
device data of the Plaintiffs and Class Members was without authorization and consent; 
including but not limited to obtaining any and all communications involving their UDID. 

345. On information and belief, each Plaintiff, and each Class Member, during one or 
more of their interactions on the Internet during the Class Period, communicated with one or 
more web entities based in California, or with one or more entities whose servers were located in 
California. 

346. Communications from the California web-based entities to Plaintiffs and Class 
Members were sent from California. Communications to the California web-based entities from 
Plaintiffs and Class Members were sent to California. 

347. Plaintiffs and Class Members did not consent to any of the Defendant's actions in 
intercepting, reading, and/or learning the contents of their communications with such Califomia- 


21 


based entities. 


22 


348. Plaintiffs and Class Members did not consent to any of the Defendant's actions in 
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using the contents of their communications with such California-based entities. 
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349. Defendant is not a “ public utility engaged in the business of providing 
communications services and facilities . . .” 


350. Defendant’s actions alleged herein were not undertaken: “for the purpose of 
construction, maintenance, conduct or operation of the services and facilities of the public 
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351. Defendant’s actions alleged herein were not undertaken in connection with: “the 
use of any instrument, equipment, facility, or service furnished and used pursuant to the tariffs of 
a public utility. 

352. Defendant’s actions alleged herein were not undertaken with respect to any 
telephonic communication system used for communication exclusively within a state, county, 
city and county, or city correctional facility. 

353. Defendant directly participated in the interception, reading, and/or learning the 
contents of the communications between Plaintiffs, Class Members and California-based web 
entities. 

354. Alternatively, and of equal violation of the California Invasion of Privacy Act, 
Defendant aided, agreed with, and/or conspired with involved entities to unlawfully do, or 
permit, or cause to be done all of the acts complained of herein. 

355. Plaintiffs and Class Members have additionally suffered loss by reason of these 
violations, including, without limitation, violation of the right of privacy. 

356. Unless restrained and enjoined. Defendant will continue to commit such acts. 
Pursuant to Section 637.2 of the California Penal Code, Plaintiffs and the Class have been 
injured by the violations of California Penal Code section 631. Wherefore, Plaintiffs, on behalf 
of themselves and on behalf of a similarly situated Class of consumers, seek damages and 
injunctive relief. 

Fifth Cause of Action 

Violation of the Consumer Legal Remedies Act 
(“CLRA”) California Civil Code § 1750, etseq. 

Against Defendant OpenFeint 

357. Plaintiffs incorporate the foregoing allegations as if fully set forth herein. 

358. In violation of Civil Code section 1750, et seq. (the “CLRA”), Defendant engaged 
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and is engaging in unfair and deceptive acts and practices in the course of transactions with 
Plaintiffs, and such transactions are intended to and have resulted in the sales of services to 
consumers. Plaintiffs and the Class Members are “consumers” as that term is used in the CLRA 
because they sought or acquired Defendant’s goods or services for personal, family, or 
household purposes. 

359. At all relevant times, Defendant’s business practices of selling OpenFeint 
applications, or allowing OpenFeint application’s use for free, were goods Plaintiffs and Class 
Members obtained for use. Defendant’s scheme to offer such goods misleads the nature and 
integrity of the application since Defendant intended to use such for mobile device tracking. 

360. Defendant’s representations that its services have characteristics, uses, and 
benefits that they do not have, in violation of Civil Code § 1770(a)(5). 

361. This cause of action is brought pursuant to the California Consumers Legal 
Remedies Act, Cal. Civ. Code § 1750 et seq. (the “CLRA”). This cause of action does not seek 
monetary damages at this point, but is limited solely to injunctive relief. Plaintiffs and Class 
Members will amend this Class Action Complaint to seek damages in accordance with the 
CLRA after providing the Defendant with notice pursuant to California Civil Code § 1782. 

362. At this time. Plaintiffs and Class Members seek only injunctive relief under this 
cause of action. Pursuant to California Civil Code, Section 1782, Plaintiffs will notify Defendant 
in writing of the particular violations of Civil Code, Section 1770 and demand that Defendant 
rectify the problems associated with its behavior detailed above, which acts and practices are in 
violation of Civil Code § 1770. 

363. If Defendant fails to respond adequately to Plaintiffs’ and Class Members' above- 
described demand within 30 days of Plaintiffs' notice, pursuant to California Civil Code, Section 
1782(b), Plaintiffs will amend the complaint to request damages and other relief, as permitted by 
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Civil Code, Section 1780. 

Sixth Cause of Action 

Violation of Unfair Competition California Business and Professions Code § 17200 

Against Defendant OpenFeint 

364. Plaintiffs incorporate the foregoing allegations as if fully set forth herein. 

365. In violation of California Business and Professions Code § 17200 et seq., 
Defendant’ conduct in this regard is ongoing and includes, but is not limited to, unfair, unlawful 
and fraudulent conduct. 

366. Defendant misled consumers by continuously and falsely representing during the 
Class Period that they would not make Personally Identifiable Information available to third 
parties as alleged herein. 

367. At all relevant times, Defendant’s business practices of merging its mobile 
devices and Application Developer’s applications and services to Plaintiffs and Class Members 
by way of, inter alia, commercial marketing and advertising, misrepresented and/or omitted the 
truth about the extent to which Defendant would obtain and share Plaintiffs’ and Class Members’ 
Sensitive and Personal Identifiable Information with third parties. 

368. Defendant engaged in these unfair and fraudulent practices to increase their 
profits. Had Plaintiffs known that Defendant would share their Personally Identifiable 
Information with third parties; they would not have purchased or used the Defendant’s services, 
which in turn, forced them to relinquish, for free, valuable Personal Information. 

369. By engaging in the above-described acts and practices. Defendant committed one 
or more acts of unfair competition within the meaning of the UCL and, as a result, Plaintiffs and 
the Class have suffered injury-in-fact and have lost money and/or property—specifically. 
Personal Information. 
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A. Unlawful Business Act and Practices 

370. Defendant’s business acts and practices are unlawful, in part, because they violate 
California Business and Professions Code § 17500, et seq., which prohibits false advertising, in 
that they were untrue and misleading statements relating to Defendant’s performance of services 
and with the intent to induce consumers to enter into obligations relating to such services, and 
regarding statements Defendant knew were false or by the exercise of reasonable care Defendant 
should have known to be untrue and misleading. 

371. Defendant’s business acts and practices are also unlawful in that they violate the 
California Consumer Legal Remedies Act, California Civil Code, Sections 1647, et seq., 1750, et 
seq., and 3344, California Penal Code, section 502, and Title 18, United States Code, Section 
1030. Defendant is therefore in violation of the “unlawful” prong of the UCL. 

B. Unfair Business Act and Practices 

372. Defendant's business acts and practices are unfair because they cause harm and 
injury-in-fact to Plaintiffs and Class Members, and for which Defendant has no justification 
other than to increase, beyond what Defendant would have otherwise realized, its profit in fees 
from advertisers and its information assets through the acquisition of consumers' Personal 
Information. 

373. Defendant’s conduct lacks reasonable and legitimate justification in that 
Defendant benefited from such conduct and practices while Plaintiffs and the Class Members 
have been misled as to the nature and integrity of Defendant’s services and have, in fact, suffered 
material disadvantage regarding their interests in the privacy and confidentiality of their Personal 
Information. Defendant’s conduct offends public policy in California tethered to the Consumer 
Legal Remedies Act, the state constitutional right of privacy, and California statutes recognizing 
the need for consumers to obtain material information that enables them to safeguard their own 
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privacy interests, including California Civil Code, Section 1798.80. 

374. In addition, Defendant’s modus operandi constitutes a sharp practice in that 
Defendant knew and should have known that consumers care about the status of Personal 
Information and privacy but are unlikely to be aware of and able to detect the means by which 
Defendant was conducting themselves in a manner adverse to their commitments and users’ 
interests, through the undisclosed functions of mobile devices and apps and the related conduct 
of the Defendant. Defendant is therefore in violation of the unfairness prong of the Unfair 
Competition Law. 

375. Defendant’s acts and practices were fraudulent within the meaning of the Unfair 
Competition Law because they were likely to mislead the members of the public to whom they 
were directed. 

376. Defendant’s practice of capturing, storing, and transferring through 
synchronization to other computers highly detailed and personal records of users' location 
histories of long duration, and storing such information in unencrypted form, was in violation of 
the unfairness prong of the Unfair Competition Law. 

377. Plaintiffs, on behalf of themselves and on behalf of each member of the Class, 
seek individual restitution, injunctive relief, and other relief allowed under the UCL as the Court 
deems just and proper. 

Seventh Cause of Action 
Breach of Contract 
Against Defendant OpenFeint 

378. Plaintiffs hereby incorporate by reference the allegations contained in all of the 
preceding paragraphs of this complaint. 

379. Plaintiffs and Class Members entered into a contract with Defendant OpenFeint in 
order to use the OpenFeint Store apps. This contract had rights, obligations, and duties between 
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Plaintiffs and Class Members and Defendant OpenFeint, including but not limited to, protecting 
the privacy of its users. 

380. Plaintiffs and Class Members activities involved in their use of the OpenFeint 
App Store included, but was not limited to, providing Personal Identifiable Information to 
Defendant OpenFeint; furthermore Defendant OpenFeint designed the Plaintiffs’ and Class 
Members’ mobile device data, including but not limited to, their mobile devices’ UDID with 
third parties, including Application Developers and Application Developers Affiliates, in 
violation of its own contract with Plaintiffs and Class Members. 

381. Plaintiffs and Class Members did not have notice, nor consent to. Defendant 
OpenFeint sharing their mobile devices UDID with Application Developers or Application 
Developers’ Affiliates. 

382. Plaintiffs and Class Members have performed their obligation pursuant to 
Defendant OpenFeint’s contract. 

383. Defendant OpenFeint has materially breached its contractual obligations through 
its conduct. 

384. Plaintiffs and Class Members have been damaged as a direct and proximate result 
of Defendant OpenFeint’s breach of their contract. 

Eighth Claim For Relief 

Breach of Implied Covenant of Good Faith and Fair Dealing 
Against Defendant OpenFeint 

385. Plaintiffs hereby incorporate by reference the allegations contained in all of the 
preceding paragraphs in this complaint. 

386. As set forth above. Plaintiffs and Class Members submit Personal Information to 
OpenFeint and such information is stored on Plaintiffs’ and Class Members’ mobile devices, and 
OpenFeint promises in its Privacy Policy that it will not share this information with third-party 
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advertisers or Application Developers without Plaintiffs’ consent, and the consent of each Class 
Member, respectively, and promises in its click-through agreement to protect users’ privacy. 

387. A covenant of good faith and fair dealing, which imposes upon each party to a 
contract a duty of good faith and fair dealing in its performance, is implied in every contract, 
including their agreement in the transactions for acquisitions of Defendant OpenFeint’s 
applications that embodies the relationship between OpenFeint and its users. 

388. Good faith and fair dealing is an element imposed by common law or statute as an 
element of every contract under the laws of every state. Under the covenant of good faith and fail 
dealing, both parties to a contract impliedly promise not to violate the spirit of the bargain and 
not to intentionally do anything to injure the other party’s right to receive the benefits of the 
contract. 

389. Plaintiffs and Class Members reasonably relied upon OpenFeint to act in good 
faith with regard to the contract and in the methods and manner in which it carries out the 
contract terms. Bad faith can violate the spirit of their agreements and may be overt or may 
consist of inaction. OpenFeint’s inaction in failing to adequately notify Plaintiffs and Class 
Members of the release of their Personal Information to the Application Developers, and by 
Application Developers Affiliates, depriving Plaintiffs and Class Members of the means to 
discover their information was “leaked,” thus evidencing bad faith and ill motive. 

390. The contract is a form contract, the terms of which Plaintiffs are deemed to have 
accepted once Plaintiffs and the Class signed up with OpenFeint. The contract purports to give 
discretion to OpenFeint relating to its protection of users’ privacy. OpenFeint is subject to an 
obligation to exercise that discretion in good faith. The covenant of good faith and fair dealing is 
breached when a party to a contract uses discretion conferred by the contract to act dishonestly or 
to act outside of accepted commercial practices. OpenFeint breached its implied covenant of 
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good faith and fair dealing by exercising bad faith in using its discretionary rights to deliberately, 
routinely, and systematically make Plaintiffs’ and Class Members’ personal information 
available to third parties. 

391. Plaintiffs and Class Members’ have performed all, or substantially alt, of the of 
the obligations imposed on them under contract, whereas OpenFeint has acted in a manner as to 
evade the spirit of the contract, in particular by deliberately, routinely, and systematically 
without notifying Plaintiffs and Class Members of its disclosure of Plaintiffs’ and Class 
Members’ personal information to Affiliates, and by Developers. Such actions represent a 
fundamental wrong that is clearly beyond the reasonable expectation of the parties. OpenFeint’s 
causing the disclosure of such information to the Affiliates, and by Developers is not in 
accordance with the reasonable expectations of the parties and evidences a dishonest motive. 

392. OpenFeint’s ill motive is further evidenced by its failure to obtain Plaintiffs’ and 
Class Members’ consent in data mining efforts while at the same time consciously and 
deliberately facilitating data mining to automatically and without notice provide user information 
the Affiliates, and by Developers. OpenFeint profits from advertising revenues derived from its 
data mining efforts from Plaintiffs and the Class. 

393. The obligation imposed by the implied covenant of good faith and fair dealing is 
an obligation to refrain from opportunistic behavior. OpenFeint has breached the implied 
covenant of good faith and fair dealing in their agreement through its policies and practices as 
alleged herein. Plaintiffs and the Class have sustained damages and seek a determination that the 
policies and procedures of OpenFeint are not consonant with OpenFeint’s implied duties of good 
faith and fair dealing. 

394. OpenFeint's capture, retention, and transfer through synchronization of users’ 
detailed location histories, even when such users had disabled GPS services on their mobile 
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Ninth Cause of Action 
Conversion 

Against Defendant OpenFeint 

395. Plaintiffs hereby incorporate by reference the allegations contained in all of the 
preceding paragraphs of this complaint. 

396. Plaintiffs’ and Class Members’ mobile device data, including but not limited to 
their mobile devices’ UDID is being used by Defendant to obtain sensitive and Personal 
Identifiable Information derived from Plaintiffs’ and Class Members’ mobile browsing activities. 
Such property, owned by the Plaintiffs and Class Members, is valuable to the Plaintiffs and Class 
Members. 

397. Plaintiffs’ and Class Members' mobile devices use bandwidth. Defendant’s 
activities, made the basis of this action, used without notice or authorization, such bandwidth for 
purposes not contemplated, not agreed to, by Plaintiffs and Class Members when they 
downloaded Application Developer's applications. Such property, owned by the Plaintiffs and 
Class Members, is valuable to the Plaintiffs and Class Members. 

398. Defendant unlawfully exercised dominion over said property and thereby 
converted Plaintiffs’ and Class Members’ property, by providing Sensitive and Personally 
Identifying Information to third parties and by using Plaintiffs’ and Class Members' bandwidth 
for data mining, in violation of the collective allegations, made the basis of this action. 

399. Plaintiffs and Class Members were damaged thereby. 
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Tenth Cause of Action 
Negligence 

Against Defendant OpenFeint 

400. Plaintiffs incorporate the above allegations by reference as if folly set forth 

herein. 

401. As set forth above, OpenFeint owed a duty to Plaintiffs and Class Members. 

402. OpenFeint breached its duty by designing a mobile platform so that the 
Application Affiliates and Application Developers could acquire Personal Information without 
consumers’ knowledge or permission, by failing to review and remove privacy-violating apps 
from the OpenFeint Application Market, and by constructing and controlling consumers’ user 
experience and mobile environment so that consumers could not reasonably avoid such privacy- 
affecting actions. 

403. OpenFeint failed to fulfill its own commitments and, further, failed to fulfill even 
the minimum duty of care to protect Plaintiffs' and Class Members’ Personal Information, 
privacy rights, and security. 

404. OpenFeint’s failure to fulfill its commitments included its practice of capturing 
frequent and detailed information about users’ “Fine” locations for unreasonable retention 
periods, maintaining records of such location histories on users, transferring such location history 
files to users’ replacement mobile device, transferring such location history files to other mobile 
devices with which users synchronized their mobile devices, and storing such location history 
files in accessible, unencrypted form, all without providing notice to users or obtaining users’ 
consent, and where consumers had no reasonable means to become aware of such practice or to 
manage it, and where such practice placed users at unreasonable risk of capture and misuse of 
such highly detailed and Personal Information, and where a reasonable consumer would consider 
| such a practice unexpected, objectionable, and shocking to the conscience of a reasonable 
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405. OpenFeint’s unencrypted cloud storage which was synchronized the information 
described above was negligent. 

406. Plaintiffs and Class Members were harmed as a result of OpenFeint’s breach of itsj 

duties, and OpenFeint proximately caused such harms. 

Eleventh Cause of Action 
Trespass to Personal Property / Chattels 
Against Defendant OpenFeint 

407. Plaintiffs incorporate by reference all paragraphs previously alleged herein. 

408. The common law prohibits the intentional intermeddling with personal property, 
including a mobile device, in possession of another which results in the deprivation of the use of 
| the personal property or impairment of the condition, quality, or usefulness ol the personal 

| property. 

409. By engaging in the acts alleged in this complaint without the authorization or 

| consent of Plaintiffs and Class Members, Defendant dispossessed Plaintiffs and Class Members 
from use and/or access to their mobile devices, or parts of them. Further, these acts impaired the 
i use, value, and quality of Plaintiffs’ and Class Members’ mobile device. Defendant's acts 
j constituted an intentional interference with the use and enjoyment of their mobile devices. By thej 
acts described above. Defendant has repeatedly and persistently engaged in trespass to personal 
property in violation of the common law. 

410. Without Plaintiffs’ and Class Members’ consent, or in excess of any consent 
I given, Defendant knowingly and intentionally accessed Plaintiffs' and Class Members property, 
j thereby intermeddling with Plaintiffs' and Class Members’ right to possession of the property 

i and causing injury to Plaintiffs and the members of the Class. 

411. Defendant engaged in deception and concealment in order to gam access to 
I Plaintiffs’ and Class Members’ mobile devices. 

412. Defendant undertook the following actions with respect to Pla intiffs’ and Class 
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Members’ mobile devices: 

a) Defendant accessed and obtained control over the users’ mobile device; 

b) Defendant caused the installation of code on the hard drives of the mobile 
devices; 

c) Defendant programmed the operation of its code to circumvent the mobile device 
owners privacy and security controls, to remain beyond their control, and to continue function 
and operate without notice to them or consent from Plaintiffs and Class Members; 

d) Defendant obtained users’ UDID from a tracking code on the users’ mobile 
device; and 

e) Defendant used the users’ UDID to obtain without notice or consent, mobile 
browsing activities of the mobile device, and outside of the control of the owner of the mobile 
device. 

413. All these acts described above were acts in excess of any authority any user 
granted when he or she visited the Defendant OpenFeint’s Application Market and downloaded 
one (1) or more of the Defendant OpenFeint affiliated applications and none of these acts was in 
furtherance of users viewing the applications. By engaging in deception and misrepresentation, 
whatever authority or permission Plaintiffs and Class Members may have granted to Defendant 
OpenFeint and/or Application Developers was invalid. 

414. Defendant’s installation and operation of its program used, interfered, and/or 
intermeddled with Plaintiffs’ and Class Members’ mobile devices. Such use, interference and/or 
intermeddling was without Plaintiffs’ and Class Members’ consent or, in the alternative, in 
excess of Plaintiffs’ and Class Members’ consent. 

415. Defendant’s installation and operation of its program constitutes trespass, 
nuisance, and an interference with Plaintiffs" and Class Members’ chattels, to wit, their mobile 
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416. Defendant’s installation and operation of its program impaired the condition and 
value of Plaintiffs’ and Class Members’ mobile devices. 

417. Defendant’s trespass to chattels, nuisance, and interference caused real and 
substantial damage to Plaintiffs and Class Members. 

418. Asa direct and proximate result of Defendant’s trespass to chattels, nuisance, 
interference, unauthorized access of and intermeddling with Plaintiffs’ and Class Members’ 
property, Defendant injured and impaired in the condition and value of Class Members’ mobile 
devices, as follows: 

a) By consuming the resources of and/or degrading the performance of 
Plaintiffs’ and Class Members’ mobile devices (including space, memory, 
processing cycles, Internet connectivity, and unauthorized use of their 
bandwidth); 

b) By diminishing the use of, value, speed, capacity, and/or capabilities of 
Plaintiffs’ and Class Members’ mobile devices; 

c) By devaluing, interfering with, and/or diminishing Plaintiffs’ and Class 
Members’ possessory interest in their mobile devices; 

d) By altering and controlling the functioning of Plaintiffs’ and Class Members’ 
mobile devices; 

e) By infringing on Plaintiffs’ and Class Members’ right to exclude others from 
their mobile devices; 

f) By infringing on Plaintiffs’ and Class Members’ right to determine, as owners 
of/or their mobile devices, which programs should be installed and operating 
on their mobile devices; 

g) By compromising the integrity, security, and ownership of Plaintiffs’ and 
Class Members’ mobile devices; and 

h) By forcing Plaintiffs and Class Members to expend money, time, and 
resources in order to remove the program installed on their mobile devices 
without notice or consent. 

PRAYER FOR RELIEF 
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WHEREFORE, Plaintiffs, on behalf of themselves and all others similarly situated, prays 
for judgment against Defendant as follows: 


A. Certify this case as a Class action on behalf of the Classes defined above, appoint 
Plaintiffs as Class representatives, and appoint their counsel as Class counsel; 

B. Declare that the actions of Defendant, as set out above, violate the following: 

a) Computer Fraud and Abuse Act, 18 U.S.C. § 1030; 

b) Electronic Communications Privacy Act 18 U.S.C. § 2510; 

c) California’s Computer Crime Law, Penal Code § 502; 

d) California Invasion of Privacy Act, Penal Code § 630; 

e) Consumer Legal Remedies Act, (“CLRA”) California Civil Code § 1750; 

f) Unfair Competition, California Business and Professions Code § 17200; 

g) Breach of Contract; 

h) Breach of Implied Covenant of Good Faith and Fair Dealing; 

i) Conversion; 

j) Negligence; 

k) Trespass to Personal Property / Chattels; and 


C. As applicable to the Classes mutatis mutandis , awarding injunctive and equitable relief 
including, inter alia : (i) prohibiting Defendant from engaging in the acts alleged above; 
(ii) requiring Defendant to disgorge all of its ill-gotten gains to Plaintiffs and the other 
Class Members, or to whomever the Court deems appropriate; (iii) requiring Defendant 
to delete all data surreptitiously or otherwise collected through the acts alleged above; 

(iv) requiring Defendant to provide Plaintiffs and the other Class Members a means to 
easily and permanently decline any participation in any data collection activities, (v) 
awarding Plaintiffs and Class Members hill restitution of all benefits wrongfully acquired 
by Defendant by means of the wrongful conduct alleged herein; and (vi) ordering an 
accounting and constructive trust imposed on the data, funds, or other assets obtained by 
unlawful means as alleged above, to avoid dissipation, fraudulent transfers, and/or 
concealment of such assets by Defendant; 


D. Award damages, including statutory damages where applicable, to Plaintiffs and Class 
Members in an amount to be determined at trial; 


OpenFeint Class Action Complaint" 
110 





E. Award restitution against Defendant for all money to which Plaintiffs and the Classes are 
entitled in equity: 

F. Restrain Defendant, its officers, agents, servants, employees, and attorneys, and those in 
active concert or participation with them from continued access, collection, and 
transmission of Plaintiffs’ and Class Members’ Personal Information via preliminary and 
permanent injunction; 

G. Award Plaintiffs and the Classes: 

a) their reasonable litigation expenses and attorneys’ fees; 

b) pre- and post-judgment interest, to the extent allowable; 

c) restitution, disgorgement and/or other equitable relief as the Court deems 
proper; 

d) compensatory damages sustained by Plaintiffs and all others similarly situated 
as a result of Defendant’s unlawful acts and conduct; 

e) statutory damages, including punitive damages; and 

f) permanent injunction prohibiting Defendant from engaging in the conduct and 
practices complained of herein. 

H. For such other and further relief as this Court may deem just and proper. 


Dated this 22 nd day of June 2011 


By: David C. Parisi 

David C. Parisi (SBN 162248) 

dparisifa),parisihavens.com 

PARISI & HAVENS LLP 
15233 Valleyheart Drive 
Sherman Oaks, CA 91403 
Telephone: (818) 990-1299 
Fax: (818) 501-7852 

Joseph H. Mai ley (not yet admitted) 
malleylawf@gmail.com 

LAW OFFICE OF JOSEPH H. MALLEY, P.C. 

1045 North Zang Blvd 
Dallas, TX 75208 
Telephone: (214) 943-6100 
Fax: (214) 943-6170 

Counsel for Plaintiffs 
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The Plaintiffs hereby demand a trial by jury of all issues so triable 
Dated this 22 nd day of June 2011 



By: David C. Parisi 


David C. Parisi (SBN 162248) 
dparisi@parisihavens.com 
PARISI & HAVENS LLP 
15233 Valleyheart Drive 
Sherman Oaks, CA 91403 
Telephone: (818) 990-1299 
Fax: (818) 501-7852 

Joseph H. Mai ley (not yet admitted) 
malleylaw@gmail.com 

LAW OFFICE OF JOSEPH H. MALLEY, P.C. 

1045 North Zang Blvd 

Dallas, TX 75208 

Telephone: (214) 943-6100 

Fax: (214)943-6170 

Counsel for Plaintiffs 
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TIF.n > ARATIQN OF iPAVID C, PARIS! 

I. David C. Parisi, hereby declare on oath follows: 

1. I am an attorney licensed to practicb law in the state of California. 1 am over the 
age of 18 years and I have personal knowledge oflthe matters attested to herein. If called upon tc 

testify, I would and could competently do so. 

2. 1 make this declaration pursuant to California Civil Code section 1780(c) on 

behalf of my clients, plaintiffs Matthew Hines, Jennifer Aguirre and Alexander Hernandez. 

! 3. Defendant Openfeint, Inc.’s principle executive offices and headquarters are 

located at 1999 S. Bascom Ave., Suite 925, Campbell, California 95008. 

I declare under penalty of perjury under thb laws of the State of California that the 
foregoing is true and correct. Dated this 22" d day of June, 2011 at Sherman Oaks. California. 


David C. Parisi 
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